NOTE: Several of the references caution against the "kitchen-sink" approach to Cache-Control. In other words, if there is an old response already stored for a particular URL, returning no-store will not prevent the old response from being reused. ![]() The no-store directive prevents a response from being stored, but does not delete any already-stored response for the same URL. with the If-Not-Modified header) before using a cached copy, whereas, no-cache tells them they MUST revalidate before using a cached copy. These include:Ĭache-Control: must-revalidate, max-age=0, s-maxage=0Īnd finally, and this may not apply to your situation: I believe max-age0 simply tells caches (and user agents) the response is stale from the get-go and so they SHOULD revalidate the response (eg. These directives are generally robust, although additional flags may be necessary for the Cache-Control header in order to better prevent persistently linked files on the file system. Specify the value in the following format: Cache-Control: max-age seconds. In addition, OWASP mentions but doesn't elaborate on: The minimum expiration time CloudFront supports is 0 seconds. So by adding the max-age=0 should force a reload of caches since the age would be stale and a refresh would occur. Obey this directive, and communications networks might be Particular, malicious or compromised caches might not recognize or Way a reliable or sufficient mechanism for ensuring privacy. Improve privacy in some cases, we caution that it is NOT in any Of certain users and service authors who are concerned aboutĪccidental releases of information via unanticipated accesses toĬache data structures. The public and private directives are two opposing directives that control which types of clients can cache resources. ![]() The purpose of this directive is to meet the stated requirements cache-control: public and cache-control: private. I believe max-age0 simply tells caches (and user agents) the response is stale from the get-go and so they SHOULD revalidate the response (eg. At the bottom of the definition it includes this: The no-store Cache-Control is to prevent the inadvertent release or retention of sensitive information. TL DR The addition of max-age=0 to the Cache-Control header could provide some additional security by stating the response is stale and not to use any cached responses. I've struggled to verify it, but I assume that if any cache-control instructions exist on a response, then it is assumed that that response is cacheable by the browser and any intermediate caches unless cache-control: private is set. There's not enough information to comment on the validity of the recommendation. Is cache-control: public, max-age60 handled any differently by any known caches than cache-control: max-age60.
0 Comments
Leave a Reply. |