Avoid caching of the http responses
Server-side cache control headers should look like:
Expires: Tue, 03 Jul 2001 06:00:00 GMT
Last-Modified: {now} GMT
Cache-Control: max-age=0, no-cache, must-revalidate, proxy-revalidate
Avoid rewriting URLs on the client because it pollutes caches, and causes other weird semantic issues. Furthermore:
Use one
Cache-Controlheader (see rfc 2616) because behaviour with multiple entries is undefined. Also the MSIE specific entries in the second cache-control are at best redundant.no-storeis about data security. (it only means don't write this to disk - caches are still allowed to store the response in memory).Pragma: no-cacheis meaningless in a server response - it's a request header meaning that any caches receiving the request must forward it to the origin.Using both
Expires (http/1.0)andcache-control (http/1.1)is not redundant since proxies exist that only speak http/1.0, or will downgrade the protocol.Technically, the last modified header is redundant in light of
no-cache, but it's a good idea to leave it in there.Some browsers will ignore subsequent directives in a cache-control header after they come across one they don't recognise - so put the important stuff first.
Adding header
Cache-control: private
guarantees, that gataway cache won't cache such request.
I'd like to recommend you Fabien Potencier lecture about caching: http://www.slideshare.net/fabpot/caching-on-the-edge