diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 71c54e02ad..9241455ca1 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -45,8 +45,6 @@ require_dependency 'principal'
 
 
 class ApplicationController < ActionController::Base
-  # ensure the OpenProject models are required in the right order (as they have circular dependencies)
-
   class_attribute :_model_object
   class_attribute :_model_scope
   class_attribute :accept_key_auth_actions
@@ -87,7 +85,9 @@ class ApplicationController < ActionController::Base
                 :reset_i18n_fallbacks,
                 :set_localization,
                 :check_session_lifetime,
-                :stop_if_feeds_disabled
+                :stop_if_feeds_disabled,
+                :set_cache_buster
+
 
   rescue_from ActionController::InvalidAuthenticityToken, :with => :invalid_authenticity_token
 
@@ -104,6 +104,18 @@ class ApplicationController < ActionController::Base
     { :layout => params["layout"] }
   end
 
+  # set http headers so that the browser does not store any
+  # data (caches) of this site
+  # see: https://websecuritytool.codeplex.com/wikipage?title=Checks#http-cache-control-header-no-store
+  # see: http://stackoverflow.com/questions/711418/how-to-prevent-browser-page-caching-in-rails
+  def set_cache_buster
+    if OpenProject::Configuration['disable_browser_cache']
+      response.headers["Cache-Control"] = "no-cache, no-store, max-age=0, must-revalidate"
+      response.headers["Pragma"] = "no-cache"
+      response.headers["Expires"] = "Fri, 01 Jan 1990 00:00:00 GMT"
+    end
+  end
+
   # the current user is a per-session kind of thing and session stuff is controller responsibility.
   # a globally accessible User.current is a big code smell. when used incorrectly it allows getting
   # the current user outside of a session scope, i.e. in the model layer, from mailers or in the console
diff --git a/config/configuration.yml.example b/config/configuration.yml.example
index 47c4091d64..25da82b92f 100644
--- a/config/configuration.yml.example
+++ b/config/configuration.yml.example
@@ -127,6 +127,10 @@ default:
   # autologin_cookie_path:
   # autologin_cookie_secure:
 
+  # disable browser cache for security reasons
+  # see: https://websecuritytool.codeplex.com/wikipage?title=Checks#http-cache-control-header-no-store
+  # disable_browser_cache: true
+
   # Configuration of SCM executable command.
   # Absolute path (e.g. /usr/local/bin/hg) or command name (e.g. hg.exe, bzr.exe)
   # On Windows, *.cmd, *.bat (e.g. hg.cmd, bzr.bat) does not work.
diff --git a/doc/CHANGELOG.md b/doc/CHANGELOG.md
index 590260f80c..00cfd19974 100644
--- a/doc/CHANGELOG.md
+++ b/doc/CHANGELOG.md
@@ -36,6 +36,7 @@ See doc/COPYRIGHT.rdoc for more details.
 * `#2473` [Timelines] Tooltip in timeline report shows star * instead of hash # in front of ID
 * `#2721` Fix: Fix: Fix: Missing journal entries for customizable_journals
 * `#2718` Newlines in workpackage descriptions aren't normalized for change tracking
+* `#1748` Add option to diable browser cache
 
 ## 3.0.0pre28
 
diff --git a/lib/open_project/configuration.rb b/lib/open_project/configuration.rb
index a1df6c7d3c..31c6b31911 100644
--- a/lib/open_project/configuration.rb
+++ b/lib/open_project/configuration.rb
@@ -39,6 +39,7 @@ module OpenProject
       'database_cipher_key'     => nil,
       'scm_git_command'         => nil,
       'scm_subversion_command'  => nil,
+      'disable_browser_cache'   => true,
 
       # email configuration
       'email_delivery_method' => nil,