Tweak text about disabling caching

Signed-off-by: David A. Wheeler <[email protected]>

Author: david-a-wheeler

secure_software_development_fundamentals.md

@@ -3317,16 +3317,15 @@ When you are delivering web pages you can limit what can be done with the result
 
 If your site is publicly accessible, you can easily test your headers using the [Security Headers website](https://securityheaders.com/).
 
-If you are serving especially sensitive data, you should *only* serve that data from a few specific pages and completely disable caching of that data (to prevent accidental spills from a cache). The safest way to ensure that caching is disabled is through this set of HTTP headers
-(["How do we control web page caching, across all browsers?"](https://stackoverflow.com/questions/49547/how-do-we-control-web-page-caching-across-all-browsers)):
+If you are serving especially sensitive data, you should *only* serve that data from a few specific web pages and *completely* disable caching of that data on the server, client, and any proxies along the way. Disabling caches prevents accidental spills from a cache. On the server commonly-used systems for caching include memcached and Redis - disable caching of that data when you can. The safest way to ensure that the web browser and web proxy caching is disabled is through this set of HTTP headers (["How do we control web page caching, across all browsers?"](https://stackoverflow.com/questions/49547/how-do-we-control-web-page-caching-across-all-browsers)):
 
 ~~~~
 Cache-Control: no-cache, no-store, must-revalidate
 Pragma: no-cache
 Expires: 0
 ~~~~
 
-Some of these settings are only relevant to extremely old browsers. If you only care about current browsers, this setting is enough:
+Some of these settings are only relevant to extremely old browsers. If you only care about current browsers, this HTTP header is enough to disable caching:
 
 ~~~~
 Cache-Control: no-store, must-revalidate