I was reading over cache-control request/response headers here.
Definition of Cache-Control: No-Store:
The no-store directive means browsers aren’t allowed to cache a response and must pull it from the server each time it’s requested. This setting is usually used for sensitive data, such as personal banking details.
Cloud Foundry UAA stores its public keys for JWT signature validation at https://uaa.my-domain.com/token_keys and it's cache-control response header contains no-store.
This makes no sense to me - they are public keys that do not require authorization to acquire. Additionally, there is an ETag response header that implies, according to the link referenced above, that a browser or client will be caching the response.
