1

I have small issue here. this is how my web.config looks like:

<add name="Cache-Control" value="no-cache, no-store, must-revalidate, private" />
<add name="Pragma" value="no-cache" />

But when I checked ZAP tool I had something like this:

Cache-Control: no-cache,no-cache, no-store, must-revalidate, private
Pragma: no-cache,no-cache

So the value in pragma is duplicated, also in some responses Cache-Control had "public" at the beginning like:

Cache-Control: public, no-cache, no-cache, no-store, must-revalidate, private

Is there any way to set only headers from my web.config?

Another question is that is there any way to set headers in main response but disable them in when the response is .css and .js file? I want them to be cacheed.

Piotr_Kowalski
  • 68
  • 4

3 Answers3

1

I think the Cache-Control header is also getting set by ASP.NET's Output Caching infrastructure.

I wouldn't suggest battling ASP.NET by manually setting the Cache-Control header... you want ASP.NET's Output Caching infrastructure to do it for you. Output caching can be configured in web.config's outputCache element. More information about configuring the output cache is available here.

And you probably don't need to worry too much about the Pragma header (unless you're expecting a lot of pre-HTTP 1.1 clients from the 1990's!).

Headers for your static js/css content are typically handled directly by IIS since static content isn't (usually) served up by ASP.NET. This discussion will get you pointed in the right direction.

Community
  • 1
  • 1
Mark Waterman
  • 961
  • 7
  • 16
1

First of all - duplication shouldn't be an issue.

HTTP RFC2616 says:

Multiple message-header fields with the same field-name MAY be present in a message if and only if the entire field-value for that header field is defined as a comma-separated list [i.e., #(values)]. It MUST be possible to combine the multiple header fields into one "field-name: field-value" pair, without changing the semantics of the message, by appending each subsequent field-value to the first, each separated by a comma. The order in which header fields with the same field-name are received is therefore significant to the interpretation of the combined field value, and thus a proxy MUST NOT change the order of these field values when a message is forwarded So, multiple headers with the same name is ok (www-authenticate is such a case) if the entire field-value is defined as a comma-separated list of values.

More information you can find here.

When it comes to cache settings of files with particular file extension you can take a look at output caching section in IIS.

Community
  • 1
  • 1
Arkadiusz Kałkus
  • 17,101
  • 19
  • 69
  • 108
0

I found the solution for me.

I created attriburte and add it to base controler:

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public sealed class NoCacheAttribute : ActionFilterAttribute
{
    public override void OnResultExecuting(ResultExecutingContext filterContext)
    {
        filterContext.HttpContext.Response.Cache.SetCacheability(HttpCacheability.NoCache);
        filterContext.HttpContext.Response.Cache.AppendCacheExtension("no-store, must-revalidate, private");
        base.OnResultExecuting(filterContext);
    }
}

[NoCache]
public class BaseController : Controller

Now all my .js, .css, .png, .jpg files are cached but my request in not visible in cache :)

Piotr_Kowalski
  • 68
  • 4