Server-side cache control headers should look like:
Expires: Tue, 03 Jul 2001 06:00:00 GMT
Last-Modified: {now} GMT
Cache-Control: max-age=0, no-cache, must-revalidate, proxy-revalidate
Avoid rewriting URLs on the client because it pollutes caches, and causes other weird semantic issues. Furthermore:
-
Use one
Cache-Control
header (see rfc 2616) because behaviour with multiple entries is undefined. Also the MSIE specific entries in the second cache-control are at best redundant. -
no-store
is about data security. (it only means don’t write this to disk – caches are still allowed to store the response in memory). -
Pragma: no-cache
is meaningless in a server response – it’s a request header meaning that any caches receiving the request must forward it to the origin. -
Using both
Expires (http/1.0)
andcache-control (http/1.1)
is not redundant since proxies exist that only speak http/1.0, or will downgrade the protocol. -
Technically, the last modified header is redundant in light of
no-cache
, but it’s a good idea to leave it in there. -
Some browsers will ignore subsequent directives in a cache-control header after they come across one they don’t recognise – so put the important stuff first.