Reputation: 277
Simultaneous use of "Expires: 0", "no-cache", "no-store", "max-age=0, must-revalidate" - what for?
Recently I found that our web app sends the following headers:
Expires: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
This is how I read it:
Expires: 0
"Hey browser, the resource you just got has already expired"
Cache-Control: [..] max-age=0 [..]
"Actually nevermind what I just said, please do the following:"
no-cache
"Please cache this resource. But it's already stale, so please revalidate it before using"
no-store
"Also please do not cache anything"
max-age=0, must-revalidate
"Also please cache this resource. But if you want to use it after 0 seconds has passed - please revalidate it."
There can be 2 explanations to this:
- The person writing it didn't know what they were doing
- They actually knew it very well. I.e. they catered to some edge-case browser behavior / bugs / something that I am missing.
What exactly they might have tried to avoid?
Bonus question 1: is my understanding correct that Expires: 0 is (rough, with caveats) equivalent of no-cache rather than no-store? I.e. it allows caching but the caches become stale immediately - it does not prevent caching?
Bonus question 2: shouldn't I add proxy-revalidate?
Upvotes: 2
Views: 7308
Answers (1)
Reputation: 131067
Caching is an optional feature of the HTTP protocol and it's defined in the RFC 7234. The Cache-Control header is used to specify directives for caches along the request/response chain.
According to MDN Web Docs from Mozilla, you can use following Cache-Control directives to turn off caching in HTTP/1.1:
Cache-Control: no-cache, no-store, must-revalidate
The max-age directive set to 0 is irrelevant when the above Cache-Control directives are used (but it doesn't hurt).
One may also want to add an Expires header set to 0 in case the recipient doesn't support Cache-Control. From the RFC 7234:
If a response includes a
Cache-Controlfield with themax-agedirective, a recipient MUST ignore theExpiresfield. Likewise, if a response includes thes-maxagedirective, a shared cache recipient MUST ignore theExpiresfield. In both these cases, the value inExpiresis only intended for recipients that have not yet implemented theCache-Controlfield.
The proxy-revalidate directive works in the same way as must-revalidate but it only applies to shared caches (e.g., proxies). That is, the cache must verify the status of the stale resources before using it and expired ones should not be used.
I found this article about HTTP caching from Google pretty insightful.
Upvotes: 2
Related Questions
- Why both no-cache and no-store should be used in HTTP response?
- What is the difference between no-cache and no-store in Cache-control?
- What's the difference Expires and Cache-control:max-age?
- What's the difference between Cache-Control: max-age=0 and no-cache?
- Setting both Expires and Cache-Control: max-age
- What's the difference between expires, max-age, and shared max-age?
- max-age, no-Cache,must-revalidate on Cache-Control Header, Which takes predence here?
- "no-cache" vs "max-age=0, must-revalidate, proxy-revalidate"
- What are the drawbacks of using cache-control: no-store?
- How does caching works without max-age or expiry settings