No, cache-control: no-cache will not prevent a browser cache from storing response data. Use cache-control: no-store instead.
According to RFC 7234, section 5.2.2.2:
The "no-cache" response directive indicates that the response MUST NOT be used to satisfy a subsequent request without successful validation on the origin server.
Note that "without successful validation" implies that the cached response may be used if validation with the origin server succeeds. (The validation process is described in section 4.3.) Therefore, cache-control: no-cache does not prevent the user agent from storing the content of the response.
pragma: no-cache is also incorrect for the same reason. See RFC 7234, section 5.4:
When the Cache-Control header field is not present in a request, caches MUST consider the no-cache request pragma-directive as having the same effect as if "Cache-Control: no-cache" were present (see Section 5.2.1).
In contrast, RFC 7234, section 5.2.2.3 says:
The "no-store" response directive indicates that a cache MUST NOT store any part of either the immediate request or response. This directive applies to both private and shared caches. "MUST NOT store" in this context means that the cache MUST NOT intentionally store the information in non-volatile storage, and MUST make a best-effort attempt to remove the information from volatile storage as promptly as possible after forwarding it.
This sounds much closer to what you're looking for.
