HTTP/1.1 disable completely client cache

Question

I have several sites that contains sensitive data so I want to disable client cache completely. I found there are 3 implementations used for Http/1.1 on google:

Implement 1: Set "no-store" with the others

response.setHeader("Cache-Control", "no-store, no-cache, max-age=0, must-revalidate");

Implement 2: Set "no-store, no-cache"

response.setHeader("Cache-Control", "no-store, no-cache");

// REASON is "no-cache" already cover this "max-age=0, must-revalidate"

Implement 3: Set "no-store":

response.setHeader("Cache-Control", "no-store");

// REASON is: "no-store": data is never stored 
// on both client cache & intermediate caches

I found this diagram ( Source from google site: Cache Control Policy Diagram )

From this diagram, My understanding is Implementation 3 is enough for HTTP/1.1

Any comments? Thanks!

score 1 · Answer 1 · answered Aug 18 '15 at 21:14

1

It depends what you want to happen when the user hits the back button in the browser.

If you don't care about that use no-store

If you don't want the previous page displayed, then you need to use must-revalidate too

answered Aug 18 '15 at 21:14

Neil McGuigan

41,314
10
106
137

Thank you Neil McGuigan! – Loc Aug 18 '15 at 21:55

HTTP/1.1 disable completely client cache

1 Answers1