Destroying a session clears the browser cache for the site

The "Clear-Site-Data" header[^1] is supported in most modern browsers,
and sending it when a user signs out prevents the browser from
displaying cached pages when a user hits the "back" button.

This helps prevent exposure of data if a user logs in to a site on a
public computer, for example.

[^1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data

Author: flavorjones

railties/lib/rails/generators/rails/authentication/templates/app/controllers/concerns/authentication.rb.tt

@@ -49,4 +49,8 @@ module Authentication
       Current.session.destroy
       cookies.delete(:session_id)
     end
+
+    def clear_site_data
+      response.headers["Clear-Site-Data"] = '"cache","storage"'
+    end
 end

railties/lib/rails/generators/rails/authentication/templates/app/controllers/sessions_controller.rb.tt

@@ -16,6 +16,7 @@ class SessionsController < ApplicationController
 
   def destroy
     terminate_session
+    clear_site_data
     redirect_to new_session_path
   end
 end