Avoid caching of the http responses

http caching http-headers client-server browser-cache
STeN picture STeN · Mar 27, 2012 · Viewed 33.7k times · Source

What is the definitive solution for avoid any kind of caching of http data? We can modify the client as well as the server - so I think we can split the task between client and the server.

Client can append to each request a random parameter http://URL/path?rand=6372637263 – My feeling is that using only this way it is not working 100% - might be there are some intelligent proxies, which can detect that… On the other side I think that if the URL is different from the previous one, the proxy cannot simply decide to send back some cached response.

On server can control a bunch of HTTP headers:

Expires: Tue, 03 Jul 2001 06:00:00 GMT
Last-Modified: {now} GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache

Any comments to this, what is the best approach?

Answer

symcbean picture symcbean · Mar 27, 2012

Server-side cache control headers should look like:

Expires: Tue, 03 Jul 2001 06:00:00 GMT
Last-Modified: {now} GMT
Cache-Control: max-age=0, no-cache, must-revalidate, proxy-revalidate

Avoid rewriting URLs on the client because it pollutes caches, and causes other weird semantic issues. Furthermore:

  • Use one Cache-Control header (see rfc 2616) because behaviour with multiple entries is undefined. Also the MSIE specific entries in the second cache-control are at best redundant.

  • no-store is about data security. (it only means don't write this to disk - caches are still allowed to store the response in memory).

  • Pragma: no-cache is meaningless in a server response - it's a request header meaning that any caches receiving the request must forward it to the origin.

  • Using both Expires (http/1.0) and cache-control (http/1.1) is not redundant since proxies exist that only speak http/1.0, or will downgrade the protocol.

  • Technically, the last modified header is redundant in light of no-cache, but it's a good idea to leave it in there.

  • Some browsers will ignore subsequent directives in a cache-control header after they come across one they don't recognise - so put the important stuff first.

Related questions

How do we control web page caching, across all browsers?

Our investigations have shown us that not all browsers respect the HTTP cache directives in a uniform manner. For security reasons we do not want certain pages in our application to be cached, ever, by the web browser. This must …

Read More
What's the difference between Cache-Control: max-age=0 and no-cache?

The header Cache-Control: max-age=0 implies that the content is considered stale (and must be re-fetched) immediately, which is in effect the same thing as Cache-Control: no-cache.

Read More
What is Cache-Control: private?

When I visit chesseng.herokuapp.com I get a response header that looks like Cache-Control:private Connection:keep-alive Content-Encoding:gzip Content-Type:text/css Date:Tue, 16 Oct 2012 06:37:53 GMT Last-Modified:Tue, 16 Oct 2012 03:13:38 GMT Status:200 OK transfer-encoding:chunked Vary:Accept-Encoding X-Rack-Cache:miss and …

Read More