Clear-Site-DataClear-Site-Data is a security header by which a server instructs the browser to delete data stored for a given origin (cookies, cache, localStorage, Service Workers, and more). It is used at logout, account switch, or incident response to wipe sensitive client-side data in one shot.
The value is a comma-separated list of data-type tokens wrapped in double quotes: "cache", "cookies", "storage", "executionContexts", and the catch-all "*". The quotes are part of the syntax and are mandatory (an unquoted cache is ignored). For example, if a logout endpoint returns Clear-Site-Data: "cookies", "storage", it erases not only the session cookie but also user data cached in IndexedDB and localStorage.
"cookies" clears cookies and HTTP auth for the same registrable domain as the responding origin. "storage" also covers Service Worker registrations and Cache Storage, so it doubles as a way to forcibly unregister a bad Service Worker deployment. "executionContexts" reloads open tabs/frames to reset in-memory state as well.
The header works only in a secure context (HTTPS) and is scoped to the origin that sent the response. Support varies slightly across browsers (especially the granularity of "cache"), and deletion may be asynchronous, so it does not guarantee immediate completion.
Clear-Site-Data: "<type>"[, "<type>"]*e.g. Clear-Site-Data: "cache", "cookies", "storage"
"cache" | Clears this origin's browser cache (HTTP cache, prefetch, etc.). |
"cookies" | Deletes cookies and HTTP auth credentials stored for this origin (and same registrable domain). |
"storage" | Removes DOM storage: localStorage, sessionStorage, IndexedDB, Service Worker registrations, Cache Storage, and more. |
"executionContexts" | Reloads this origin's open browsing contexts (tabs/frames) to reset execution state. |
"*" | Clears all supported data types at once (including future types). |