simon litwan wrote: > do you mean set "Cache-Control" headers to force the client not to cache > any of access-controlled content? Yes, I think that's really needed. Otherwise both caches in browsers and in proxies are allowed to keep the contents, and to serve it later on... BR, Julian