Reputation: 167
Caching with SSL certification
I read if the request is authenticated or secure, it won't be cached. We previously worked on our cache and now planning to purchase a SSL certificate.
If caching cannot be done with SSL connection then is that mean our work on caching is useless?
Reference: http://www.mnot.net/cache_docs/
Upvotes: 0
Views: 803
Answers (2)
Reputation: 122669
You can use the Cache-Control: public header to allow a representation served over HTTPS to be cached.
While the document you refer to says "If the request is authenticated or secure (i.e., HTTPS), it won’t be cached.", it's within a paragraph starting with "Generally speaking, these are the most common rules that are followed [...]".
The same document goes into more details after this:
Useful
Cache-Controlresponse headers include:
public— marks authenticated responses as cacheable; normally, if HTTP authentication is required, responses are automatically private.
(What applies to HTTP with authentication also applies to HTTPS.)
Obviously, documents that actually contain sensitive information only aimed for the authenticated user should not be served with this header, since they really shouldn't be cached. However, using this header for items that are suitable for caching (e.g. common images and scripts) should improve the performance of your website (as expected for caching over plain HTTP).
What will never happen with HTTPS is the caching of resources by intermediate proxy servers (between the client and your web-server, at least the external part, if you have a load-balancer or similar). Some CDNs will serve content over HTTPS (assuming it's suitable for your system to trust these CDNs). In general, these proxy servers wouldn't fall under the control of your cache design anyway.
Upvotes: 0
Reputation: 123365
Your reference is wrong. Content sent over https will be cached in modern browsers, but they obviously cannot be cached in intermediate proxies. See http://arstechnica.com/business/2011/03/https-is-great-here-is-why-everyone-needs-to-use-it-so-ars-can-too/ or https://blog.httpwatch.com/2011/01/28/top-7-myths-about-https/ for example.
Upvotes: 1
Related Questions
- Service worker with SSL certificate cache
- How does HTTPS affect caching and security?
- How long before a browser will automatically reset the SSL cache?
- SSL certificate validation - is any caching involved?
- Is data retrieved over SSL cached by the client browser?
- SslStream, disable session caching
- How to preserve SSL with HTML5 application cache
- HTML5 application cache - SSL and cross domain - any workaround?
- Can a static object be fully-cached for HTTPS? (encrypted)
- HttpCachePolicy and SSL