Low Security Header

Clear-Site-Data

Learn how to clear browser data for your website to improve security and privacy.

SiteSecurityScore Team·7 min read·Updated Feb 20, 2026

Clear-Site-Data is a security header that allows websites to clear browser data for their domain. This header is useful for improving security during logout procedures and preventing data persistence attacks.

What is Clear-Site-Data?#

Clear-Site-Data is a security header that instructs the browser to delete stored data associated with your website. When the browser receives this header, it wipes the specified data types: cookies, cache, local storage, session storage, and more. This is particularly useful for logout endpoints, where you want to ensure all user data is thoroughly removed from the browser.

  • Clears cookies, cache, localStorage, sessionStorage, and IndexedDB for your domain
  • Ensures no residual user data remains in the browser after logout
  • Works server-side, so it functions even if client-side JavaScript fails
  • Can target specific data types or clear everything at once

Why Clear-Site-Data Matters#

When a user logs out, simply deleting the session cookie may not be enough. Cached pages, stored tokens in localStorage, and other browser data can persist. An attacker who gains physical access to the device (or uses a shared computer) could access this residual data. Clear-Site-Data provides a reliable, server-controlled way to wipe all traces.

  • Cached authenticated pages may remain accessible after a simple cookie deletion
  • Tokens stored in localStorage persist even after cookies are cleared
  • Shared or public computers pose a risk if previous user data is not fully removed
  • Client-side cleanup scripts can fail silently, but the server header always executes
Shared Computer Risk

On shared computers (libraries, internet cafes, coworking spaces), residual data from a previous session is a real security risk. Clear-Site-Data on your logout endpoint ensures that all user data is wiped regardless of whether the user remembers to manually clear their browser data.

Data Types You Can Clear#

The header accepts multiple quoted string values, each targeting a different type of browser data. You can combine them to clear exactly what you need.

  • "cache": Clears the HTTP cache, so cached pages and resources are re-fetched on next visit
  • "cookies": Removes all cookies for your domain, effectively logging the user out
  • "storage": Clears localStorage, sessionStorage, IndexedDB, and other storage APIs
  • "executionContexts": Reloads all browsing contexts (tabs/windows) for your origin
  • "*": A wildcard that clears all of the above in a single directive
MDN: Clear-Site-Data

Implementation Guide#

The most common use case is adding Clear-Site-Data to your logout endpoint. When the user's browser receives the response from the logout URL, it clears the specified data before rendering the response.

Logout Endpoints Only

Only set Clear-Site-Data on your logout endpoint, not on every page. Setting it globally would clear all user data on every request, which would break your application.

Configuration
# Apache - on logout endpoint <Location /logout> Header always set Clear-Site-Data '"cache", "cookies", "storage"' </Location> # Nginx - on logout endpoint location /logout { add_header Clear-Site-Data '"cache", "cookies", "storage"' always; } # Node.js / Express app.post('/logout', (req, res) => { res.setHeader('Clear-Site-Data', '"cache", "cookies", "storage"'); res.redirect('/login'); });

Best Practices#

Use Clear-Site-Data strategically to enhance your application's security without affecting normal user experience.

  • Add to your logout endpoint to ensure complete data cleanup after user sessions
  • Use "cache", "cookies", "storage" for logout (usually skip "executionContexts" as it forces tab reload)
  • Test that the header properly clears all session data after logout
  • Combine with proper server-side session invalidation for complete security
  • Be aware that browser support varies, so keep server-side session cleanup as the primary defense
  • Consider using this header on password change endpoints as an additional security measure
W3C Clear Site Data specification

Implementation Examples#

Clear All Data

Clear-Site-Data: "cache", "cookies", "storage", "executionContexts"

Clears all types of browser data

Explanation: This clears cache, cookies, storage, and execution contexts for your domain.

Clear Specific Data

Clear-Site-Data: "cookies", "storage"

Clears only cookies and storage

Explanation: This clears only cookies and storage while preserving cache and execution contexts.

Key Directives#

cache

Clears browser cache for the site

"cache"

cookies

Clears cookies for the site

"cookies"

storage

Clears storage (localStorage, sessionStorage) for the site

"storage"

executionContexts

Clears execution contexts for the site

"executionContexts"

*

Clears all data types

"*"

References#

Clear-Site-Data(MDN Web Docs)Clear Site Data Specification(W3C)
Was this helpful?
Share

Test Your Clear-Site-Data Configuration

Scan your site to check if Clear-Site-Data is properly configured.

Scan Your Website