I've read about single cache-control header value. To test what I learned, I opened facebook and inspect. This is the Cache-Control response header I get:
cache-control:private, no-cache, no-store, must-revalidate
I am confused what this header actually tells, because it contains 4 values at once. So what happens with the resource send through the network, if it contains such header?
EDIT:
no-store says, "do not store at all, not in private not public caches", and no-cache says "yeees you can cache, but make sure you revalidate for freshness when resource is requested". Private says "you can store in the private caches". It cant do all 3 at the same time. But yet, here we are having them send in response at the same time. Looks like there are some additional rules I am not aware of.
RFC 7234 is a good reference for the precise meaning of the headers.
no-cache and no-store mean different things and cannot be obeyed at the same time for example.
They absolutely can. The directives are redundant, but not contradictory. no-cache
:
indicates that a cache MUST NOT use a stored response to satisfy the request without successful validation on the origin server.
and no-store
:
indicates that a cache MUST NOT store any part of either this request or any response to it.
As no-store
is essentially stricter than no-cache
, the result is effectively no-store
. Similarly for the other headers; I believe:
Cache-control: no-store
would be a simpler way to get the same result. However, it's possible that the header you're seeing is a combination of advice, rather than an intentionally consistent policy.
Note that, as the spec says, duplicated directives may be invalid:
When there is more than one value present for a given directive (e.g., two Expires header fields, multiple Cache-Control: max-age directives), the directive's value is considered invalid. Caches are encouraged to consider responses that have invalid freshness information to be stale.
but I don't believe that's the case here.