I have been doing some OWASP tests and one of the low level threats is :
Low (Medium) Incomplete or No Cache-control and Pragma HTTP Header Set
Description
The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.
URL
<redacted url>
Evidence
public, must-revalidate, proxy-revalidate
The suggestion from OWASP is to prevent the content from being cached ... but this doesn't make any sense. I thought it helped your page loading speed if certain contents are cached by the browser? In addition how is caching static content a security threat?
It is advantageous for performance.
It is not advantageous for security if those pages contain sensitive information. If these headers are not set then even if you log out of a website then someone with access to your computer could access these pages from your history by just using the 'back' button. Intermediate proxies can also cache the pages. Security is all about context - if theres no sensitive information there then this isnt a problem.