Logout routes that invalidate server-side sessions but don't send Clear-Site-Data leave credentials and sensitive data in the browser's cookie jar, cache, localStorage, and sessionStorage. On a shared device — a library computer, a family laptop, a corporate workstation — the next user can often access the previous user's session by navigating to the application or inspecting browser storage. CWE-613 (Insufficient Session Expiration) and CWE-384 (Session Fixation) both apply. OWASP A07 (Identification and Authentication Failures) explicitly calls out incomplete session termination as an authentication failure — server-side logout without client-side cleanup is not a complete logout.
High because incomplete client-side session cleanup on logout enables session persistence on shared devices, giving the next user access to the previous user's authenticated state without needing to bypass any authentication control.
Add the Clear-Site-Data response header to your logout route handler. Set all three values to ensure complete browser-side cleanup.
// src/app/api/auth/signout/route.ts
export async function POST(req: Request) {
// Invalidate server-side session first
await invalidateSession(req)
return new Response(null, {
status: 200,
headers: {
'Clear-Site-Data': '"cache", "cookies", "storage"'
}
})
}
The header value uses quoted strings with commas: "cookies" clears session cookies, "cache" removes cached authenticated responses, "storage" wipes localStorage, sessionStorage, and IndexedDB. Test on Chrome DevTools Network tab — you should see the header in the logout response and verify storage is cleared in the Application panel.
ID: security-headers-ii.transport-hardening.clear-site-data-logout
Severity: high
What to look for: Search for logout/signout route handlers in the project (common patterns: /api/auth/signout, /api/logout, /auth/logout, signOut handlers). For each logout route found, check whether the response includes a Clear-Site-Data header. The header value should include at least "cookies" (clears session cookies) and ideally "cache", "cookies", "storage" (full cleanup). Count logout/signout routes.
Pass criteria: At least 1 logout route sends the Clear-Site-Data header. Count all logout/signout routes found and report: "X of Y logout routes send Clear-Site-Data."
Fail criteria: Logout routes exist but none send Clear-Site-Data. Fewer than 1 logout route includes the header.
Skip (N/A) when: No logout/auth routes found — the project has no authentication or session management.
Cross-reference: For session management security, the Auth & Session Security audit covers session lifecycle.
Detail on fail: "Logout route /api/auth/signout does not send Clear-Site-Data header — session artifacts may persist in browser" or "0 of 2 logout routes send Clear-Site-Data — cookies and cache not cleared on signout"
Remediation: Clear-Site-Data tells the browser to wipe stored data when the user logs out, ensuring a clean session break:
// API route: /api/auth/signout
export async function POST(req: Request) {
// ... invalidate session server-side ...
return new Response(null, {
status: 200,
headers: {
'Clear-Site-Data': '"cache", "cookies", "storage"'
}
})
}
The header value uses quoted strings. Common values: "cookies" (session cookies), "cache" (cached resources), "storage" (localStorage, sessionStorage, IndexedDB). Use all three for full cleanup.