Browser like Firefox and Chrome take screen shot of the visited websites and can show them on a new tab as "recent used website".
Since my website is showing confidential information, how could I avoid the browsers to take screen shots for the "recent website" list, or at least limit it to the login page (like Facebook or banking website are doing)?
I found a possible answer in Is there a W3C standard meta tag to determine the cover image used to represent a website? but it seems a still unstable method, and banking sites I investigated are not using it apparently so I suspect there is another (better?) solution.
Any idea? I need it working at least for Firefox.
Note: sites are using HTTPS. Under Chrome, use HTTPS seems to solve it since blank screen is shown as preview. Firefox does show it even when using HTTPS.
UPDATE: On Mozzila's support page https://support.mozilla.org/en-US/kb/thumbnails-new-tab-page-missing-how-get-them-back they state the following:
Note: Some websites don't allow images (--> thumbnail) to be generated and saved
Unfortunately they don't tell how to do it... But yes it seems there is a way to avoid it...
UPDATE 2: What I actually am looking for is that the site uses cache for Javascript and images, but not for thumbnails. Use of HTTPS would to solve it, except because of the Firefox bug.
I think I finally got it solved.
First of all, the "application manifest" does not help.
Based on @Peter's answer I found a way to implement it without loosing the browser cache for my "usefull" code, and keeping URL intact.
To archive it, I use a "main" page, that is the actual URL for the browser (-->thumbnail), with no caching, but it just contains a frame, where my "real" page is called internally. The real page does use caching, but since the website URL is the "no cache page", it seems thumbnail is not always the login page, even when the new page tab thumbnail points to my "main" page.
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache no-store">
<meta http-equiv="expires" content="0">
<title>My Website</title>
</head><body style="margin: 0;">
<iframe src="init_index_main.jsp" name="main" style="position:fixed; top:0px; left:0px; bottom:0px; right:0px; width:100%; height:100%; border:none; margin:0; padding:0; overflow:hidden; z-index:999999;" ></iframe>
</body>
</html>
So actually I implement all 3 recommendations of Peter, avoiding their side effect. Actually, I was already using the frame workaround to hide the real URL to the (common) users.
Of course if the user opens a link in a new tab, leaving the "main" frame, it could generate a thumbnail, but that's no the normal flow so I can live with it.