5

I've read about single cache-control header value. To test what I learned, I opened facebook and inspect. This is the Cache-Control response header I get:

cache-control:private, no-cache, no-store, must-revalidate

I am confused what this header actually tells, because it contains 4 values at once. So what happens with the resource send through the network, if it contains such header?

EDIT:

no-store says, "do not store at all, not in private not public caches", and no-cache says "yeees you can cache, but make sure you revalidate for freshness when resource is requested". Private says "you can store in the private caches". It cant do all 3 at the same time. But yet, here we are having them send in response at the same time. Looks like there are some additional rules I am not aware of.

sanjihan
  • 5,592
  • 11
  • 54
  • 119
  • Read the spec? https://greenbytes.de/tech/webdav/rfc7234.html#cache-response-directive – Julian Reschke May 28 '16 at 19:43
  • 1
    I know what they mean separate, I don't know what to think about them when there are more than one. no-cache and no-store mean different things and cannot be obeyed at the same time for example. – sanjihan May 28 '16 at 19:55
  • `no-cache` does not say “you can cache.” `private` does, and so it does contradict `no-store` in theory, but this not a problem in practice. – Vasiliy Faronov May 28 '16 at 21:59

2 Answers2

5

RFC 7234 is a good reference for the precise meaning of the headers.

no-cache and no-store mean different things and cannot be obeyed at the same time for example.

They absolutely can. The directives are redundant, but not contradictory. no-cache:

indicates that a cache MUST NOT use a stored response to satisfy the request without successful validation on the origin server.

and no-store:

indicates that a cache MUST NOT store any part of either this request or any response to it.

As no-store is essentially stricter than no-cache, the result is effectively no-store. Similarly for the other headers; I believe:

Cache-control: no-store

would be a simpler way to get the same result. However, it's possible that the header you're seeing is a combination of advice, rather than an intentionally consistent policy.

Note that, as the spec says, duplicated directives may be invalid:

When there is more than one value present for a given directive (e.g., two Expires header fields, multiple Cache-Control: max-age directives), the directive's value is considered invalid. Caches are encouraged to consider responses that have invalid freshness information to be stale.

but I don't believe that's the case here.

Community
  • 1
  • 1
Joe
  • 29,416
  • 12
  • 68
  • 88
  • Thank you for a detailed answer. Private directive, indicates that the message can be stored in private caches, no-store instructs not to store in private nor public caches. What now? really confusing – sanjihan Jun 19 '16 at 19:13
  • 1
    Not quite; `private` indicates this "MUST NOT be stored by a shared cache." Again, no contradiction, but redundant. – Joe Jun 20 '16 at 09:20
  • Ah yes, I can see know. Thank you again. – sanjihan Jun 20 '16 at 13:03
-1

These are some good references: http://dev.mobify.com/blog/beginners-guide-to-http-cache-headers/ and How to control web page caching, across all browsers?

Community
  • 1
  • 1
Sri
  • 293
  • 3
  • 11
  • 1
    Thanks for stopping by. I have read about them as individual. Now there are 4 of them and they exclude each other. For example, you cant obey no-store and no-cache at the same, since no-store says, "do not store at all", and no-cache says "yeees you can cache, but make sure you revalidate for freshnes when resource is requested". It cant do both at the same time. This is what bothers me. – sanjihan May 28 '16 at 20:09
  • @sanjihan You apply what is more strict. – Arcin B Oct 02 '19 at 18:10