Why both no-cache and no-store should be used in HTTP response

Question

I m told to prevent user-info leaking  only  no-cache  in response is not enough   no-store  is also necessary   Cache-Control  no-cache  no-store   After reading this spec http   www w3 org Protocols rfc2616 rfc2616-sec14 html  I m still not quite sure why   My current understanding is that it is just for intermediate cache server  Even if  no-cache  is in response  intermediate cache server can still save the content to non-volatile storage  The intermediate cache server will decide whether using the saved content for following request  However  if  no-store  is in the response  the intermediate cache sever is not supposed to store the content  So  it is safer   Is there any other reason we need both  no-cache  and  no-store

User · Answer

Just to make things even worse  in some situations  no-cache can t be used  but no-store can   http   faindu wordpress com 2008 04 18 ie7-ssl-xml-flex-error-2032-stream-error

User · Answer

If a caching system correctly implements no-store  then you wouldn t need no-cache   But not all do   Additionally  some browsers implement no-cache like it was no-store   Thus  while not strictly required  it s probably safest to include both

User · Answer

OWASP discusses this      What s the difference between the cache-control directives  no-cache  and no-store       The no-cache directive in a response indicates that the response must not be used to serve a subsequent request i e  the cache must not display a response that has this directive set in the header but must let the server serve the request  The no-cache directive can include some field names  in which case the response can be shown from the cache except for the field names specified which should be served from the server  The no-store directive applies to the entire message and indicates that the cache must not store any part of the response or any request that asked for it       Am I totally safe with these directives       No  But generally  use both Cache-Control  no-cache  no-store and Pragma  no-cache  in addition to Expires  0  or a sufficiently backdated GMT date such as the UNIX epoch   Non-html content types like pdf  word documents  excel spreadsheets  etc often get cached even when the above cache control directives are set  although this varies by version and additional use of must-revalidate  pre-check 0  post-check 0  max-age 0  and s-maxage 0 in practice can sometimes result at least in file deletion upon browser closure in some cases due to browser quirks and HTTP implementations   Also   Autocomplete  feature allows a browser to cache whatever the user types in an input field of a form  To check this  the form tag or the individual input tags should include  Autocomplete  Off    attribute  However  it should be noted that this attribute is non-standard  although it is supported by the major browsers  so it will break XHTML validation    Source here

User · Answer

Note that Internet Explorer from version 5 up to 8 will throw an error when trying to download a file served via https and the server sending Cache-Control  no-cache or Pragma  no-cache headers   See http   support microsoft com kb 812935 en-us  The use of Cache-Control  no-store and Pragma  private seems to be the closest thing which still works

User · Answer

I must clarify that no-cache does not mean do not cache  In fact  it means  revalidate with server  before using any cached response you may have  on every request   must-revalidate  on the other hand  only needs to revalidate when the resource is considered stale   If the server says that the resource is still valid then the cache can respond with its representation  thus alleviating the need for the server to resend the entire resource   no-store is effectively the full do not cache directive and is intended to prevent storage of the representation in any form of cache whatsoever   I say whatsoever  but note this in the RFC 2616 HTTP spec      History buffers MAY store such responses as part of their normal operation   But this is omitted from the newer RFC 7234 HTTP spec in potentially an attempt to make no-store stronger  see   http   tools ietf org html rfc7234 section-5 2 1 5

User · Answer

If you want to prevent all caching  e g  force a reload when using the back button  you need    no-cache for IE no-store for Firefox   There s my information about this here   http   blog httpwatch com 2008 10 15 two-important-differences-between-firefox-and-ie-caching

User · Answer

no-store should not be necessary in normal situations  and can harm both speed and usability   It is intended for use where the HTTP response contains information so sensitive it should never be written to a disk cache at all  regardless of the negative effects that creates for the user   How it works    Normally  even if a user agent such as a browser determines that a response shouldn t be cached  it may still store it to the disk cache for reasons internal to the user agent   This version may be utilised for features like  view source    back    page info   and so on  where the user hasn t necessarily requested the page again  but the browser doesn t consider it a new page view and it would make sense to serve the same version the user is currently viewing  Using no-store will prevent that response being stored  but this may impact the browser s ability to give  view source    back    page info  and so on without making a new  separate request for the server  which is undesirable   In other words  the user may try viewing the source and if the browser didn t keep it in memory  they ll either be told this isn t possible  or it will cause a new request to the server   Therefore  no-store should only be used when the impeded user experience of these features not working properly or quickly is outweighed by the importance of ensuring content is not stored in the cache       My current understanding is that it is just for intermediate cache server  Even if  no-cache  is in response  intermediate cache server can still save the content to non-volatile storage    This is incorrect   Intermediate cache servers compatible with HTTP 1 1 will obey the no-cache and must-revalidate instructions  ensuring that content is not cached   Using these instructions will ensure that the response is not cached by any intermediate cache  and that all subsequent requests are sent back to the origin server   If the intermediate cache server does not support HTTP 1 1  then you will need to use Pragma  no-cache and hope for the best   Note that if it doesn t support HTTP 1 1 then no-store is irrelevant anyway

User · Answer

From the HTTP 1 1 specification      no-store       The purpose of the no-store directive is to prevent the inadvertent release or retention of sensitive information  for example  on backup tapes   The no-store directive applies to the entire message  and MAY be sent either in a response or in a request  If sent in a request  a cache MUST NOT store any part of either this request or any response to it  If sent in a response  a cache MUST NOT store any part of either this response or the request that elicited it  This directive applies to both non- shared and shared caches   MUST NOT store  in this context means that the cache MUST NOT intentionally store the information in non-volatile storage  and MUST make a best-effort attempt to remove the information from volatile storage as promptly as possible after forwarding it    Even when this directive is associated with a response  users might explicitly store such a response outside of the caching system  e g   with a  Save As  dialog   History buffers MAY store such responses as part of their normal operation    The purpose of this directive is to meet the stated requirements of certain users and service authors who are concerned about accidental releases of information via unanticipated accesses to cache data structures  While the use of this directive might improve privacy in some cases  we caution that it is NOT in any way a reliable or sufficient mechanism for ensuring privacy  In particular  malicious or compromised caches might not recognize or obey this directive  and communications networks might be vulnerable to eavesdropping

User · Answer

Under certain circumstances  IE6 will still cache files even when Cache-Control  no-cache is in the response headers   The W3C states of no-cache      If the no-cache directive does not   specify a field-name  then a cache   MUST NOT use the response to satisfy a   subsequent request without successful   revalidation with the origin server    In my application  if you visited a page with the no-cache header  then logged out and then hit back in your browser  IE6 would still grab the page from the cache  without a new validating request to the server    Adding in the no-store header stopped it doing so   But if you take the W3C at their word  there s actually no way to control this behavior      History buffers MAY store such responses as part of their normal operation    General differences between browser history and the normal HTTP caching are described in a specific sub-section of the spec

User · Answer

For chrome  no-cache is used to reload the page on a re-visit  but it still caches it if you go back in history  back button   To reload the page for history-back as well  use no-store  IE needs must-revalidate to work in all occasions   So just to be sure to avoid all bugs and misinterpretations I always use  Cache-Control  no-store  no-cache  must-revalidate   if I want to make sure it reloads

User · Answer

Originally we used no-cache many years ago and did run into some problems with stale content with certain browsers    Don t remember the specifics unfortunately   We had since settled on JUST the use of no-store   Have never looked back or had a single issue with stale content by any browser or intermediaries since   This space is certainly dominated by reality of implementations vs what happens to have been written in various RFCs   Many proxies in particular tend to think they do a better job of  improving performance  by replacing the policy they are supposed to be following  with their own

[http] Why both no-cache and no-store should be used in HTTP response?

Examples related to http

Examples related to caching

Examples related to no-cache