Hi, On Apache Tomcat 10.1.42 with configured SSL Connector web application with Spring, Spring Security returns the configured Default Spring Security Cache Control HTTP Response Headers
Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 But when I add to tomcat\conf\web.xml <security-constraint> <web-resource-collection> <web-resource-name>securedapp</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> The response contains: Cache-Control: private This occurs for HTTP GET requests. Is this Tomcat 10 related behavior ? As same app on Tomcat 9 with same security-contraint return the correct Headers. Tech: x64 Windows 11 Pro (10.0.26100) Apache Tomcat 10.1.42 Java 21