Safari Caching GET request even with disabled cache

Question

I have set all headers that I know of to disable caching (even disabling ETAG) on my server, yet Safari still occasionally (about 50% times) caches my requests.

Workflow

I am implementing oauth 1, so:

1. Browser makes GET /api/user request

2. Server returns 405

3. Browser redirects to 3rd party website to authenticate

4. Browser is redirected to api/callback which stores some info into cookie.

5. Browser is redirected back to original route.

6. Browser makes GET /api/user request which should be successful, however it gets 405 served from disk cache instead.

Request summary from Safari Network Inspector

Summary

URL: http://localhost:3000/api/user

Status: 405 Method Not Allowed

Source: Disk Cache

Request

No request, served from the disk cache.

Response

Transfer-Encoding: Identity

Content-Type: application/json; charset=utf-8

Pragma: no-cache

Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0

Vary: Cookie, Accept-Encoding

Date: Wed, 23 Jan 2019 11:34:23 GMT

Content-Encoding: gzip

Expires: Thu, 01 Dec 1994 16:00:00 GMT

Connection: close

x-powered-by: Express

Conclusion

I have no idea what's wrong and I will greatly appreciate any help. My Safari version is 12.0.2. I wasn't able to replicate this issue with Chrome.

Answer 1

Use Vary: *. This magically solved my problem.

This answer helped me: https://stackoverflow.com/a/2068353/1364158

Alternatively, you can really force browser to load a new version of request by including some meaningless random query arg in your url, e.g. /api/user?ts=18284