There are requests in my web application that contain "personal data" (name, postal code, phone number, date of birth etc). I would like to know what caching controls are advisable. I am using HTTPS.
This question Best practice for caching sensitive data has been asked before.
It looks like I should be using Cache-Control: private
if I'm not very paranoid..
Indicates that all or part of the response message is intended for a single user and MUST NOT be cached by a shared cache, such as a proxy server.
...and Cache-Control: no-store
if I am very paranoid.
And by "paranoid" I mean: "thinking keeping personal data in the user-agent's single user cache is a bad idea".
I think keeping personal data in a user-agents single user cache is basically fine. It looks like opinion is divided on this, and my opinion is from about 10 minutes of googling. Also, I don't think the linked question really provides a way of making an informed decision here. So I'd like to hear if people disagree.
Do I need to change my approach here because of GDPR?
If I had asked the same question for "Sensitive Personal Data" does anything change?