According to Angular, SSR will cache HttpClient GET calls:
When SSR is enabled, HttpClient responses are cached while running on the server. After that this information is serialized and transferred to a browser as a part of the initial HTML sent from the server. In a browser, HttpClient checks whether it has data in the cache and if so, reuses it instead of making a new HTTP request during initial application rendering. HttpClient stops using the cache once an application becomes stable while running in a browser.
How do we ensure that authenticated endpoints are not cached? For example, what is the risk of one user's API calls with an auth token being cached on the server-side and returned to other users?