Clear-Site-Data
Clear-Site-Data lets a response tell the browser to wipe cookies, storage, and caches for your origin. Send it on logout so a shared device keeps nothing behind.
What it is
Clear-Site-Data is a response header that tells the browser to throw away data it holds for your origin — cookies, DOM storage, caches, and more. Each value is a quoted token, and you can send several at once.
Clear-Site-Data: "cache", "cookies", "storage"The header is defined by the W3C Clear Site Data specification and has been Baseline widely available across browsers since September 2023. It only works in a secure context (HTTPS).
The directives:
"cookies"— removes all cookies and HTTP auth credentials for the registered domain, including subdomains."storage"— clearslocalStorage,sessionStorage, IndexedDB, and unregisters service workers."cache"— clears the HTTP cache, and often the back/forward cache and prerendered pages."clientHints"— drops stored client hints (also cleared bycookies,cache, or*)."prefetchCache"/"prerenderCache"— discard speculation-rules prefetches and prerenders."executionContexts"— reloads open browsing contexts for the origin."*"— everything, including data types added in future revisions.
Why it matters
When a user signs out, the session is over on the server — but the browser still holds their cookies, cached pages, and whatever you wrote to storage. On a shared or public machine, the next person can hit the back button onto a cached account page, or a stale token can linger. Clear-Site-Data closes that gap in a single header, without you having to enumerate and expire each cookie and storage key by hand.
It is also the cleanest way to recover from a compromised or rotated credential: serve the header once and the client state is reset.
How to implement
Send the header on the response that confirms the sign-out — the /logout redirect or its landing page — listing the data types you actually want gone:
Clear-Site-Data: "cache", "cookies", "storage", "executionContexts"Scope it to the exact responses that should clear data. Never send it site-wide: a stray Clear-Site-Data on every response wipes the user’s session on each request.
Common mistakes
- Omitting the quotes.
Clear-Site-Data: cookiesis invalid; the value must be"cookies". - Sending it over plain HTTP. It is ignored outside a secure context.
- Expecting cross-origin reach. It only clears data for the origin of the response, not third parties.
"cookies"surprises. It clears the whole registered domain, including every subdomain — intended, but easy to forget.
Verification
curl -sI https://example.com/logout | grep -i clear-site-datashould show the header on the sign-out response only.- Sign in, sign out, then check DevTools → Application: cookies and storage for the origin should be empty.