为什么 HTTP 响应中应该同时使用 no-cache 和 no-store ?

发布于 2024-07-20 10:54:05 字数 460 浏览 10 评论 0原文

我被告知要防止用户信息泄漏,仅响应“无缓存”是不够的。 “无店”也是必要的。

Cache-Control: no-cache, no-store

阅读本规范后 http://www.w3.org/Protocols/rfc2616/rfc2616 -sec14.html,我仍然不太清楚为什么。

我目前的理解是它只是针对中间缓存服务器。 即使响应“无缓存”,中间缓存服务器仍然可以将内容保存到非易失性存储中。 中间缓存服务器将决定是否将保存的内容用于后续请求。 但是,如果响应中包含“no-store”,则中间缓存服务器不应存储该内容。 所以,它更安全。

还有其他原因我们需要“无缓存”和“无存储”吗?

I'm told to prevent user-info leaking, only "no-cache" in response is not enough. "no-store" is also necessary.

Cache-Control: no-cache, no-store

After reading this spec http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html, I'm still not quite sure why.

My current understanding is that it is just for intermediate cache server. Even if "no-cache" is in response, intermediate cache server can still save the content to non-volatile storage. The intermediate cache server will decide whether using the saved content for following request. However, if "no-store" is in the response, the intermediate cache sever is not supposed to store the content. So, it is safer.

Is there any other reason we need both "no-cache" and "no-store"?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(13

誰ツ都不明白 2024-07-27 10:54:05

我必须澄清,no-cache 并不意味着不缓存。 事实上,这意味着在每次请求时使用您可能拥有的任何缓存响应之前“通过服务器重新验证”。

另一方面,must-revalidate 仅在资源被视为过时时才需要重新验证。

如果服务器说该资源仍然有效,则缓存可以以其表示形式进行响应,从而减轻服务器重新发送整个资源的需要。

no-store 实际上是完整的不缓存指令,旨在防止以任何形式的缓存存储表示。

我说什么都可以,但请注意 RFC 2616 HTTP 规范中的这一点:

历史缓冲区可以存储此类响应作为其正常操作的一部分

,但这在较新的 RFC 7234 HTTP 规范中被省略,可能是为了使 no-store 更强,请参阅:

https://www.rfc-editor.org/rfc/rfc7234#section-5.2.1.5

I must clarify that no-cache does not mean do not cache. In fact, it means "revalidate with server" before using any cached response you may have, on every request.

must-revalidate, on the other hand, only needs to revalidate when the resource is considered stale.

If the server says that the resource is still valid then the cache can respond with its representation, thus alleviating the need for the server to resend the entire resource.

no-store is effectively the full do not cache directive and is intended to prevent storage of the representation in any form of cache whatsoever.

I say whatsoever, but note this in the RFC 2616 HTTP spec:

History buffers MAY store such responses as part of their normal operation

But this is omitted from the newer RFC 7234 HTTP spec in potentially an attempt to make no-store stronger, see:

https://www.rfc-editor.org/rfc/rfc7234#section-5.2.1.5

静谧幽蓝 2024-07-27 10:54:05

在某些情况下,即使响应标头中包含 Cache-Control: no-cache,IE6 仍会缓存文件。

无缓存的 W3C 状态< /a>:

如果 no-cache 指令没有
指定字段名称,然后指定缓存
不得使用响应来满足
后续请求未成功
与原始服务器重新验证。

在我的应用程序中,如果您访问带有 no-cache 标头的页面,然后注销并在浏览器中返回,IE6 仍会从缓存中获取该页面(无需新的/验证请求)到服务器)。 添加 no-store 标头会阻止它这样做。 但如果你相信 W3C 的话,实际上没有办法控制这种行为:

历史缓冲区可以存储此类响应作为其正常操作的一部分。

浏览器历史记录和普通 HTTP 缓存之间的一般差异在具体描述中进行了描述。规范的子部分

Under certain circumstances, IE6 will still cache files even when Cache-Control: no-cache is in the response headers.

The W3C states of no-cache:

If the no-cache directive does not
specify a field-name, then a cache
MUST NOT use the response to satisfy a
subsequent request without successful
revalidation with the origin server.

In my application, if you visited a page with the no-cache header, then logged out and then hit back in your browser, IE6 would still grab the page from the cache (without a new/validating request to the server). Adding in the no-store header stopped it doing so. But if you take the W3C at their word, there's actually no way to control this behavior:

History buffers MAY store such responses as part of their normal operation.

General differences between browser history and the normal HTTP caching are described in a specific sub-section of the spec.

徒留西风 2024-07-27 10:54:05

在正常情况下,no-store 不是必需的,并且在某些情况下可能会损害速度和可用性。

它的目的是作为一种隐私措施:它告诉浏览器和缓存,响应包含敏感信息,这些信息永远不应写入基于磁盘的缓存(或其他非易失性存储)。

工作原理:

  • 通常,即使服务器将响应标记为无缓存,用户代理(例如浏览器)也可能会存储该响应。 如果用户代理稍后需要再次请求相同的资源,它可能会发出一个条件请求,服务器可以决定发送更新的响应或允许用户代理重新使用存储的响应。

    如果服务器没有肯定地确认存储的响应仍然可以使用,或者如果无法到达服务器,则用户代理(例如浏览器)无法使用存储的响应。

  • 使用no-store将阻止该响应存储到磁盘或任何非易失性存储中,并阻止该响应在以后的条件请求中使用。

我目前的理解是它只是针对中间缓存服务器。 即使响应“no-cache”,中间缓存服务器仍然可以将内容保存到非易失性存储中。

这是不正确的。 与 HTTP 1.1 兼容的中间缓存服务器将遵循与浏览器缓存相同的 no-cachemust-revalidate 指令。

如果中间缓存服务器不支持 HTTP 1.1,那么您将需要使用 Pragma: no-cache 并希望得到最好的结果。 请注意,如果它不支持 HTTP 1.1,则 no-store 也不会达到预期的效果。

no-store should not be necessary in normal situations, and in some cases can harm speed and usability.

It was intended as a privacy measure: it tells browsers and caches that the response contains sensitive information that should never be written to a disk-based cache (or other non-volatile storage).

How it works:

  • Normally, even if a response is marked as no-cache by the server, a user agent such as a browser may store the response. If the user agent needs to request the same resource again later, it may make a conditional request whereby the server can decide to either send an updated response or allow the user agent to re-use the stored response.

    If the server does not positively affirm that the stored response can still be used, or if the server can't be reached, the user agent (eg the browser) can't use the stored response.

  • Using no-store will prevent that response being stored to disk or any non-volatile storage, and prevents the response being used in a later conditional request.

My current understanding is that it is just for intermediate cache server. Even if "no-cache" is in response, intermediate cache server can still save the content to non-volatile storage.

This is incorrect. Intermediate cache servers compatible with HTTP 1.1 will obey the same no-cache and must-revalidate instructions as browser caches will.

If the intermediate cache server does not support HTTP 1.1, then you will need to use Pragma: no-cache and hope for the best. Note that if it doesn't support HTTP 1.1 then no-store is also not going to have the desired effect.

冷…雨湿花 2024-07-27 10:54:05

来自 HTTP 1.1 规范

无商店

no-store指令的目的是防止无意中释放或保留敏感信息(例如,在备份磁带上)。 no-store 指令适用于整个消息,并且可以在响应或请求中发送。 如果在请求中发送,缓存不得存储该请求的任何部分或对其的任何响应。 如果在响应中发送,则缓存不得存储该响应或引发该响应的请求的任何部分。 该指令适用于非共享和共享缓存。 在这种情况下,“不得存储”意味着缓存不得有意将信息存储在非易失性存储中,并且必须在转发信息后尽快尝试从易失性存储中删除信息。
即使该指令与响应相关联,用户也可能显式地将此类响应存储在缓存系统之外(例如,使用“另存为”对话框)。 历史缓冲区可以存储此类响应作为其正常操作的一部分。
该指令的目的是满足某些用户和服务作者的规定要求,他们担心通过对缓存数据结构的意外访问而意外释放信息。 虽然在某些情况下使用该指令可能会改善隐私,但我们警告说,它无论如何都不是确保隐私的可靠或充分的机制。 特别是,恶意或受损的缓存可能无法识别或遵守此指令,并且通信网络可能容易受到窃听。

From the HTTP 1.1 specification:

no-store:

The purpose of the no-store directive is to prevent the inadvertent release or retention of sensitive information (for example, on backup tapes). The no-store directive applies to the entire message, and MAY be sent either in a response or in a request. If sent in a request, a cache MUST NOT store any part of either this request or any response to it. If sent in a response, a cache MUST NOT store any part of either this response or the request that elicited it. This directive applies to both non- shared and shared caches. "MUST NOT store" in this context means that the cache MUST NOT intentionally store the information in non-volatile storage, and MUST make a best-effort attempt to remove the information from volatile storage as promptly as possible after forwarding it.
Even when this directive is associated with a response, users might explicitly store such a response outside of the caching system (e.g., with a "Save As" dialog). History buffers MAY store such responses as part of their normal operation.
The purpose of this directive is to meet the stated requirements of certain users and service authors who are concerned about accidental releases of information via unanticipated accesses to cache data structures. While the use of this directive might improve privacy in some cases, we caution that it is NOT in any way a reliable or sufficient mechanism for ensuring privacy. In particular, malicious or compromised caches might not recognize or obey this directive, and communications networks might be vulnerable to eavesdropping.

爱情眠于流年 2024-07-27 10:54:05

如果您想阻止所有缓存(例如,使用后退按钮时强制重新加载),您需要:

  • no-cache for IE

  • no-store for Firefox

这里有我关于此的信息:

http://blog.httpwatch.com/2008/10/15/two-important-differences- Between-firefox-and-ie-caching/

If you want to prevent all caching (e.g. force a reload when using the back button) you need:

  • no-cache for IE

  • no-store for Firefox

There's my information about this here:

http://blog.httpwatch.com/2008/10/15/two-important-differences-between-firefox-and-ie-caching/

云柯 2024-07-27 10:54:05

对于 Chrome,无缓存用于在重新访问时重新加载页面,但如果您返回历史记录(后退按钮),它仍然会缓存它。 要重新加载页面以进行历史记录返回,请使用 no-store。 IE 需要必须重新验证才能在所有情况下工作。

因此,为了确保避免所有错误和误解,

Cache-Control: no-store, no-cache, must-revalidate

如果我想确保它重新加载,我总是使用它。

For chrome, no-cache is used to reload the page on a re-visit, but it still caches it if you go back in history (back button). To reload the page for history-back as well, use no-store. IE needs must-revalidate to work in all occasions.

So just to be sure to avoid all bugs and misinterpretations I always use

Cache-Control: no-store, no-cache, must-revalidate

if I want to make sure it reloads.

老娘不死你永远是小三 2024-07-27 10:54:05

如果缓存系统正确实现了无存储,那么您就不需要无缓存。 但并非所有人都这样做。 此外,一些浏览器像无存储一样实现无缓存。 因此,虽然没有严格要求,但同时包含两者可能是最安全的。

If a caching system correctly implements no-store, then you wouldn't need no-cache. But not all do. Additionally, some browsers implement no-cache like it was no-store. Thus, while not strictly required, it's probably safest to include both.

雪落纷纷 2024-07-27 10:54:05

请注意,当尝试下载通过 https 提供的文件并且服务器发送 Cache-Control: no-cachePragma: no-cache 时,Internet Explorer 从版本 5 到 8 将抛出错误 标头。

请参阅http://support.microsoft.com/kb/812935/en-us

使用 Cache-Control: no-storePragma: private 似乎是仍然有效的最接近的方法。

Note that Internet Explorer from version 5 up to 8 will throw an error when trying to download a file served via https and the server sending Cache-Control: no-cache or Pragma: no-cache headers.

See http://support.microsoft.com/kb/812935/en-us

The use of Cache-Control: no-store and Pragma: private seems to be the closest thing which still works.

装迷糊 2024-07-27 10:54:05

最初我们多年前使用了无缓存,并且确实在某些浏览器上遇到了一些陈旧内容的问题......不幸的是不记得具体细节了。

从那时起,我们就决定只使用无存储。 从那时起,任何浏览器或中介机构都不再回顾过时内容,也没有遇到过任何过时内容的问题。

这个空间肯定是由实际的实现与各种 RFC 中所写的内容主导的。 许多代理人尤其倾向于认为,通过用自己的政策取代他们应该遵循的政策,他们可以更好地“提高绩效”。

Originally we used no-cache many years ago and did run into some problems with stale content with certain browsers... Don't remember the specifics unfortunately.

We had since settled on JUST the use of no-store. Have never looked back or had a single issue with stale content by any browser or intermediaries since.

This space is certainly dominated by reality of implementations vs what happens to have been written in various RFCs. Many proxies in particular tend to think they do a better job of "improving performance" by replacing the policy they are supposed to be following with their own.

丢了幸福的猪 2024-07-27 10:54:05

为了回答这个问题,这里有两个参与者,客户端(请求)和服务器(响应)。

客户端

客户端只能使用一种缓存方法进行请求。 有不同的方法,如果没有指定,将使用默认

  • 默认:检查浏览器缓存:
    1. 如果已缓存且“新鲜”:从缓存返回。
    2. 如果已缓存、过时,但仍然“有效”:从缓存返回,并安排提取以更新缓存(以供下次使用)。
    3. 如果已缓存且过时:按条件获取、缓存并返回。
    4. 如果未缓存:获取、缓存并返回。
  • 无存储:获取并返回。
  • 重新加载:获取、缓存和返回。 (default-4
  • 无缓存:检查浏览器缓存:
    1. 如果缓存:按条件获取、缓存并返回。 (默认-3
    2. 如果未缓存:获取、缓存并返回。 (默认-4
  • force-cache:检查浏览器缓存:
    1. 如果已缓存:无论是否过时都将其返回。
    2. 如果不缓存:获取、缓存并返回。 (默认-4
  • only-if-cached:检查浏览器缓存:
    1. 如果已缓存:无论是否过时都将其返回。
    2. 如果未缓存:抛出网络错误。

注意:

  • 仍然“有效”意味着当前 age 处于 stale-while-revalidate 生命周期内。 它需要“重新验证”,但仍然可以接受退货。
  • 为简单起见,这里的“获取”是“非条件网络”的缩写
    “带条件获取
  • ”意味着使用像这样的标头进行获取
    If-Modified-SinceETag,以便服务器可以响应 304:(未修改)

https://fetch.spec.whatwg.org/#concept-request-缓存模式

服务器:

现在我们了解了客户端可以做什么,服务器响应就更有意义了。
查看Cache-Control标头,如果服务器返回:

  • no-store:告诉客户端根本不使用缓存
  • no-cache:告诉客户端应该执行条件请求并忽略新鲜度
  • ma​​x-age:告诉客户端缓存“新鲜”的时间有多长
  • stale-while-revalidate:告诉客户端缓存的时间有多长“有效”
  • 不可变:永久缓存

现在我们可以将它们放在一起。 这意味着唯一的可能性是:

  • 非条件网络获取
  • 有条件网络获取
  • 返回过时的缓存
  • 返回过时但有效的缓存
  • 返回新鲜的缓存
  • 返回任何缓存

客户端或服务器的任何组合都可以指定要使用的方法或方法集。 如果服务器返回no-store,则无论客户端请求类型是什么,它都不会访问缓存。 如果客户端请求是no-store,那么无论服务器返回什么,它都不会缓存。 如果客户端未指定请求类型,服务器将使用 Cache-Control 来指定它。

服务器同时返回 no-cacheno-store 是没有意义的,因为 no-store 会覆盖所有内容。 是的,您可能已经同时看到过两者,并且在损坏的浏览器实现之外它毫无用处。 尽管如此,no-store 自 1999 年以来一直是规范的一部分:https://datatracker.ietf.org/doc/html/rfc2616#section-14.9.2

在实际使用中,如果您的服务器支持304:未修改,如果您想使用客户端缓存来提高速度,但仍想强制进行网络获取,请使用no-cache。 如果不支持 304,并且想要强制网络获取,请使用 no-store。 如果有时您对缓存没问题,请使用新鲜度和重新验证标头。

实际上,如果您在客户端上混合使用 no-cacheno-store,几乎不会有任何改变。 然后,只需发送几个标头,浏览器就会处理不同的内部响应。 如果您使用no-cache,然后忘记使用它,则可能会出现问题。 no-cache 告诉它将响应存储在缓存中,稍后没有它的请求可能会触发内部缓存。

有时,您甚至可能希望根据上下文在同一资源上混合使用方法。 例如,您可能希望在服务工作线程和后台同步上使用 reload,但对网页本身使用 default。 您可以在此处根据自己的喜好操作用户代理(浏览器)缓存。 请记住,服务器通常对缓存如何工作有最终决定权。


澄清一些未来可能出现的混乱。 客户端可以在请求上使用Cache-Control标头,告诉服务器在响应时不要使用自己的缓存系统。 这与浏览器/服务器动态无关,更多地与服务器/数据库动态相关。

另外,“无存储”在技术上意味着不得存储到任何非易失性存储(磁盘)并尽快从易失性存储(内存)中释放它。 实际上,这意味着根本不使用缓存。 该命令实际上是双向的。 带有 no-store 的客户端请求不应写入磁盘或数据库,并且是瞬态的。


TL;DR:no-store 覆盖 no-cache。 设置两者是没有用的,除非我们谈论的是不符合规范或不支持 no-store 的 HTTP/1.0 浏览器(也许是 IE11?)。 使用 no-cache 来支持 304

To answer the question, there are two players here, the client (request) and the server (response).

Client:

The client can only request with ONE cache method. There are different methods and if not specified, will use default.

  • default: Inspect browser cache:
    1. If cached and "fresh": Return from cache.
    2. If cached, stale, but still "valid": Return from cache, and schedule a fetch to update cache (for next use).
    3. If cached and stale: Fetch with conditions, cache, and return.
    4. If not cached: Fetch, cache, and return.
  • no-store: Fetch and return.
  • reload: Fetch, cache, and return. (default-4)
  • no-cache: Inspect browser cache:
    1. If cached: Fetch with conditions, cache, and return. (default-3)
    2. If not cached: Fetch, cache, and return. (default-4)
  • force-cache: Inspect browser cache:
    1. If cached: Return it regardless if stale.
    2. If not cache: Fetch, cache, and return. (default-4)
  • only-if-cached: Inspect browser cache:
    1. If cached: Return it regardless if stale.
    2. If not cached: Throw network error.

Notes:

  • Still "valid" means the current age is within the stale-while-revalidate lifetime. It needs "revalidation", but is still acceptable to return.
  • "Fetch" here, for simplicity, is short for "non-conditional network
    fetch".
  • "Fetch with conditions" means fetch using headers like
    If-Modified-Since, or ETag so the server can respond with 304: (Not Modified).

https://fetch.spec.whatwg.org/#concept-request-cache-mode

Server::

Now that we understand what the client can do, the server responses make more sense.
Looking at the Cache-Control header, if the server returns:

  • no-store: Tells client to not use cache at all
  • no-cache: Tells client it should do conditional requests and ignore freshness
  • max-age: Tells client how long a cache is "fresh"
  • stale-while-revalidate: Tells client how long cache is "valid"
  • immutable: Cache forever

Now we can put it all together. That means the only possibilities are:

  • Non-conditional network fetch
  • Conditional network fetch
  • Return stale cache
  • Return stale but valid cache
  • Return fresh cache
  • Return any cache

Any combination of client, or server can dictate what method, or set of methods, to use. If the server returns no-store, it's not going to hit the cache, no matter what the client request type. If the client request was no-store, it doesn't matter what the server returns, it won't cache. If the client doesn't specify a request type, the server will dictate it with Cache-Control.

It makes no sense for a server to return both no-cache and no-store since no-store overrides everything. Yes, you've probably seen both together, and it's useless outside of broken browser implementations. Still, no-store has been part of spec since 1999: https://datatracker.ietf.org/doc/html/rfc2616#section-14.9.2

In real life usage, if your server supports 304: Not Modified, and you want to use client cache as a way to improve speed, but still want to force a network fetch, use no-cache. If don't support 304, and want to force a network fetch, use no-store. If you're okay with cache sometimes, use freshness and revalidation headers.

In reality, if you're mixing up no-cache and no-store on the client, very little would change. Then, just a couple of headers get sent and there will different internal responses handled by the browser. An issue can occur if you use no-cache and then forget to use it later. no-cache tells it to store the response in the cache, and a later request without it might trigger internal cache.

There are times when you may want to mix methods even on the same resource based on context. For example, you may want to use reload on a service worker and background sync, but use default for the web page itself. This is where you can manipulate the user agent (browser) cache to your liking. Just remember that the server generally has the final say as to how the cache should work.


To clarify some possible future confusion. The client can use the Cache-Control header on the request, to tell the server to not use its own cache system when responding. This is unrelated to the browser/server dynamic, and more about the server/database dynamic.

Also no-store technically means must not store to any non-volatile storage (disk) and release it from volatile storage (memory) ASAP. In practice, it means don't use a cache at all. The command actually goes both ways. A client request with no-store shouldn't write to disk or database and is meant to transient.


TL;DR: no-store overrides no-cache. Setting both is useless, unless we are talking out-of-spec or HTTP/1.0 browsers that don't support no-store (Maybe IE11?). Use no-cache for 304 support.

赏烟花じ飞满天 2024-07-27 10:54:05

更糟糕的是,在某些情况下,不能使用 no-cache,但 no-store 可以:

http://faindu.wordpress.com/2008/04/18/ie7-ssl-xml-flex-error-2032-stream -错误/

Just to make things even worse, in some situations, no-cache can't be used, but no-store can:

http://faindu.wordpress.com/2008/04/18/ie7-ssl-xml-flex-error-2032-stream-error/

魄砕の薆 2024-07-27 10:54:05

这是一个相当古老的主题,但我将分享一些最近的想法:

no-store:不得尝试存储任何内容,并且还必须采取措施删除它可能拥有的任何副本。

no-cache:在未先与源服务器进行验证的情况下,切勿使用本地副本。 它可以防止缓存命中的所有可能性,即使使用新资源也是如此。

所以,回答这个问题,只使用其中之一就足够了。
此外,一些(不是非常)最近的作品证明浏览器更如今与缓存控制兼容。

A pretty old topic but I'll share some recent ideas:

no-store: Must not attempt to store anything, and must also take action to delete any copy it might have.

no-cache: Never use a local copy without first validating with the origin server. It prevents all possibility of a cache hit, even with fresh resources.

So, answering the question, using only one of them is enough.
Also, some (not very) recent works prove that browsers are more Cache-Control compatible nowadays.

强者自强 2024-07-27 10:54:05

OWASP 对此进行了讨论:

缓存控制指令之间有什么区别:no-cache 和 no-store?

响应中的 no-cache 指令指示该响应不得用于服务后续请求,即缓存不得显示在标头中设置了此指令的响应,但必须让服务器服务该请求。 no-cache 指令可以包含一些字段名称; 在这种情况下,除了应由服务器提供的指定字段名称之外,可以从缓存中显示响应。 no-store 指令适用于整个消息,并指示缓存不得存储响应的任何部分或任何请求它的请求。

我对这些指令完全安全吗?

没有。 但一般情况下,除了 Expires: 0(或足够回溯的 GMT 日期,例如 UNIX 纪元)之外,还使用 ​​Cache-Control: no-cache, no-store 和 Pragma: no-cache。 即使设置了上述缓存控制指令,非 html 内容类型(如 pdf、word 文档、excel 电子表格等)也经常会被缓存(尽管这因版本以及必须重新验证、预检查=0、后检查的附加使用而异) =0、max-age=0 和 s-maxage=0 实际上有时至少会导致在某些情况下由于浏览器怪癖和 HTTP 实现而导致浏览器关闭时文件被删除。 此外,“自动完成”功能允许浏览器缓存用户在表单输入字段中键入的任何内容。 要检查这一点,表单标签或单个输入标签应包含“Autocomplete=”Off””属性。 但是,应该注意的是,该属性是非标准的(尽管主流浏览器都支持它),因此它会破坏 XHTML 验证。

来源此处

OWASP discusses this:

What's the difference between the cache-control directives: no-cache, and no-store?

The no-cache directive in a response indicates that the response must not be used to serve a subsequent request i.e. the cache must not display a response that has this directive set in the header but must let the server serve the request. The no-cache directive can include some field names; in which case the response can be shown from the cache except for the field names specified which should be served from the server. The no-store directive applies to the entire message and indicates that the cache must not store any part of the response or any request that asked for it.

Am I totally safe with these directives?

No. But generally, use both Cache-Control: no-cache, no-store and Pragma: no-cache, in addition to Expires: 0 (or a sufficiently backdated GMT date such as the UNIX epoch). Non-html content types like pdf, word documents, excel spreadsheets, etc often get cached even when the above cache control directives are set (although this varies by version and additional use of must-revalidate, pre-check=0, post-check=0, max-age=0, and s-maxage=0 in practice can sometimes result at least in file deletion upon browser closure in some cases due to browser quirks and HTTP implementations). Also, 'Autocomplete' feature allows a browser to cache whatever the user types in an input field of a form. To check this, the form tag or the individual input tags should include 'Autocomplete="Off" ' attribute. However, it should be noted that this attribute is non-standard (although it is supported by the major browsers) so it will break XHTML validation.

Source here.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文