Mar 27, 2023

The clear-site-data header

This is an important privacy feature for logging out and truly wiping the client without having to enumerate everything that might need deletion.

— Malte Ubl, CTO Vercel

This is a privacy and security enhancing feature. A sensitive website can trigger local data deletion after the user signs out.

— Google

Developers may instruct a user agent to clear various types of relevant data by delivering a Clear-Site-Data HTTP response header in response to a request. The Clear-Site-Data HTTP response header field sends a signal to the user agent that it ought to remove all data of a certain set of types.

— Clear Site Data spec

Support for the clear-site-data header landed in Safari 16.4. It’s been supported by Chrome and Firefox for years.

When a user signs out of an application, or deletes their account, you might want to remove data being stored by their browser. Let’s look at the different kinds of data you can remove with this header (the code examples use the Express framework):

storage

res.header("Clear-Site-Data", '"storage"');

"storage" will clear the following:

localStorage (executes localStorage.clear)
sessionStorage (executes sessionStorage.clear)
IndexedDB (for each database execute IDBFactory.deleteDatabase)
Service workers are terminated and deregistered (for each service worker registration, execute ServiceWorkerRegistration.unregister)
FileSystem API data

cookies

res.header("Clear-Site-Data", '"cookies"');

Pretty self-explanatory.

To clear storage and cookies:

app.get("/", (req, res) => {
  res.header("Clear-Site-Data", '"cookies", "storage"');
  res.sendFile(path.join(__dirname, "index.html"));
});

cache

Firefox had implemented the “cache” type but they purposefully removed it. It is supported by other browsers.

Wildcard (`*`)

The wildcard character isn’t currently supported in Google Chrome.

res.header("Clear-Site-Data", '"*"');

The wildcard character (_) is equivalent to specifying all possible types. So for now '"_"' and'"cookies", "storage", "cache"' are equivalent. It’s feasible that more types will be added in the future, which the wildcard would automatically include.

There’s also executionContexts but it is not implemented in any browser and possibly never will be so I won’t discuss it here.

Check it worked

Firefox will helpfully log a message in the console.

Check out the Application tab in any browser and you should see that all the data has been removed.