Clear-Site-Data

The HTTP Clear-Site-Data response header instructs the browser to remove cached data, Cookies, storage, or all browsing data associated with the requesting origin.

Table of Contents

Usage
Directives
Example
Takeaway
See also

Usage

Deploying a broken asset, rotating Authentication tokens, or logging a user out all create situations where stale client-side data needs to go. Walking users through manual cache clearing is unreliable. The Clear-Site-Data header gives the server a declarative way to evict specific categories of stored data in a single response.

The header accepts one or more quoted-string directives specifying which data types to clear. Multiple directives are comma-separated. The wildcard "*" clears everything, including data types added by future spec revisions.

The header only works over HTTPS. Browsers ignore the header on insecure HTTP responses. The scope of "cookies" extends to the entire registered domain and all subdomains, meaning a Clear-Site-Data response from example.re also clears cookies set by stage.example.re.

A common deployment pattern is attaching the header to a logout endpoint. The server responds to the sign-out request with Clear-Site-Data to wipe Session cookies, cached resources, and local storage in one pass. Another pattern is a dedicated cache-busting URL served temporarily after a bad deployment, allowing operators to force visitors onto fresh assets without waiting for cache expiration.

Note

Sending Clear-Site-Data on every response effectively disables Caching for the site. Each page load evicts the browser cache, causing noticeable performance degradation. Restrict the header to targeted responses like logout endpoints, error recovery pages, or temporary cache-busting URLs.

Note

All major browsers support the Clear-Site-Data header. Safari supports all directives except "executionContexts" and enforces origin partitioning, preventing a cross-site iframe from clearing first-party data.

Directives

"cache"

Clears the browser's HTTP cache for the origin. Certain implementations also clear related caches including pre-rendered pages, back-forward cache entries, script caches, WebGL shader caches, and address bar suggestions.

"cookies"

Clears all Cookies for the registered domain and all subdomains. Also clears HTTP Authentication credentials associated with the origin. The scope is broader than other directives because cookie domain matching includes parent and sibling subdomains.

"storage"

Clears DOM storage for the origin. This includes localStorage, sessionStorage, IndexedDB databases, Service Worker registrations, Web SQL databases (deprecated), FileSystem API data, and plugin data.

"executionContexts"

Reloads all browsing contexts for the origin. The browser executes the equivalent of location.reload() on every open tab or frame associated with the origin. This directive is experimental and not widely implemented.

Chromium-specific extensions

The "clientHints", "prefetchCache", and "prerenderCache" directives are Chromium-specific extensions not defined in the W3C Clear Site Data specification. The spec-defined directives are "cache", "cookies", "storage", "executionContexts", and "*". The Chromium extensions work only in Chromium-based browsers and are not recognized by Firefox or Safari.

"clientHints"

Clears stored client hint preferences set via the Accept-CH header. Chromium-specific extension. Clearing "cache", "cookies", or "*" also clears client hints automatically.

"prefetchCache"

Clears Speculation Rules prefetch caches scoped to the referrer origin. Chromium-specific extension. Useful for discarding stale prefetched content after a state change like login or logout. The header with this directive works on any same-site HTTP response.

"prerenderCache"

Clears Speculation Rules prerender caches scoped to the referrer origin. Chromium-specific extension. Paired with "prefetchCache" to clear all speculative loading caches. A client-side rendered application pulling data from JavaScript uses "prerenderCache" on state changes to discard prerendered pages while keeping prefetched HTML intact.

"*" (wildcard)

Clears all data types for the origin, including any future directive types added to the specification. The safest choice for a full cleanup but the most disruptive to the browsing experience.

Example

A logout endpoint clears session cookies and storage. The browser wipes all cookies for the domain (including subdomains), removes localStorage and IndexedDB data, and drops cached resources.

Clear-Site-Data: "cache", "cookies", "storage"

A targeted cache-only clear after a bad deployment. The server attaches this header to responses temporarily until visitors have cycled through fresh assets.

Clear-Site-Data: "cache"

A full cleanup using the wildcard. All cached data, cookies, storage, and any future data types are removed. Common on account deletion confirmation pages.

Clear-Site-Data: "*"

Clearing only speculative loading caches after a state change. Prefetched and prerendered pages from before the login event are discarded.

Clear-Site-Data: "prefetchCache", "prerenderCache"

Takeaway

The Clear-Site-Data header provides server-side control over client-stored data, enabling clean logouts, cache recovery after bad deployments, and targeted eviction of specific data categories. The header requires HTTPS and works best on targeted endpoints rather than site-wide responses.