I have several sites that contains sensitive data so I want to disable client cache completely. I found there are 3 implementations used for Http/1.1 on google:
Implement 1: Set "no-store" with the others
response.setHeader("Cache-Control", "no-store, no-cache, max-age=0, must-revalidate");
Implement 2: Set "no-store, no-cache"
response.setHeader("Cache-Control", "no-store, no-cache"); // REASON is "no-cache" already cover this "max-age=0, must-revalidate"
Implement 3: Set "no-store":
response.setHeader("Cache-Control", "no-store"); // REASON is: "no-store": data is never stored // on both client cache & intermediate caches
I found this diagram ( Source from google site: Cache Control Policy Diagram )
From this diagram, My understanding is Implementation 3 is enough for HTTP/1.1
Any comments? Thanks!