Avoid caching of the http responses

STeN picture STeN · Mar 27, 2012 · Viewed 33.7k times · Source

What is the definitive solution for avoid any kind of caching of http data? We can modify the client as well as the server - so I think we can split the task between client and the server.

Client can append to each request a random parameter http://URL/path?rand=6372637263 – My feeling is that using only this way it is not working 100% - might be there are some intelligent proxies, which can detect that… On the other side I think that if the URL is different from the previous one, the proxy cannot simply decide to send back some cached response.

On server can control a bunch of HTTP headers:

Expires: Tue, 03 Jul 2001 06:00:00 GMT
Last-Modified: {now} GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache

Any comments to this, what is the best approach?

Answer

symcbean picture symcbean · Mar 27, 2012

Server-side cache control headers should look like:

Expires: Tue, 03 Jul 2001 06:00:00 GMT
Last-Modified: {now} GMT
Cache-Control: max-age=0, no-cache, must-revalidate, proxy-revalidate

Avoid rewriting URLs on the client because it pollutes caches, and causes other weird semantic issues. Furthermore:

  • Use one Cache-Control header (see rfc 2616) because behaviour with multiple entries is undefined. Also the MSIE specific entries in the second cache-control are at best redundant.

  • no-store is about data security. (it only means don't write this to disk - caches are still allowed to store the response in memory).

  • Pragma: no-cache is meaningless in a server response - it's a request header meaning that any caches receiving the request must forward it to the origin.

  • Using both Expires (http/1.0) and cache-control (http/1.1) is not redundant since proxies exist that only speak http/1.0, or will downgrade the protocol.

  • Technically, the last modified header is redundant in light of no-cache, but it's a good idea to leave it in there.

  • Some browsers will ignore subsequent directives in a cache-control header after they come across one they don't recognise - so put the important stuff first.