Search code examples
httpcachingbrowser-cachecache-controlhttp-caching

meaning of multiple values in cache-control header


I've read about single cache-control header value. To test what I learned, I opened facebook and inspect. This is the Cache-Control response header I get:

cache-control:private, no-cache, no-store, must-revalidate

I am confused what this header actually tells, because it contains 4 values at once. So what happens with the resource send through the network, if it contains such header?

EDIT:

no-store says, "do not store at all, not in private not public caches", and no-cache says "yeees you can cache, but make sure you revalidate for freshness when resource is requested". Private says "you can store in the private caches". It cant do all 3 at the same time. But yet, here we are having them send in response at the same time. Looks like there are some additional rules I am not aware of.


Solution

  • RFC 7234 is a good reference for the precise meaning of the headers.

    no-cache and no-store mean different things and cannot be obeyed at the same time for example.

    They absolutely can. The directives are redundant, but not contradictory. no-cache:

    indicates that a cache MUST NOT use a stored response to satisfy the request without successful validation on the origin server.

    and no-store:

    indicates that a cache MUST NOT store any part of either this request or any response to it.

    As no-store is essentially stricter than no-cache, the result is effectively no-store. Similarly for the other headers; I believe:

    Cache-control: no-store
    

    would be a simpler way to get the same result. However, it's possible that the header you're seeing is a combination of advice, rather than an intentionally consistent policy.

    Note that, as the spec says, duplicated directives may be invalid:

    When there is more than one value present for a given directive (e.g., two Expires header fields, multiple Cache-Control: max-age directives), the directive's value is considered invalid. Caches are encouraged to consider responses that have invalid freshness information to be stale.

    but I don't believe that's the case here.