While debugging a production issue, we found that GET requests to a URL is returning a 500 Internal Server Error for one user but returning 200 OK for everyone else. It had appeared that the 500 was being served from the cache, but any attempt since to reproduce this bug was unsuccessful.
My question is: is it possible for an error response to be cached by the browser? If so, which browsers support it and what cache headers would I need to replicate it?
My intuition is that the error response shouldn't be cached because you will continue to be denied service even though the bug has been fixed. Based on Which HTTP status codes are cacheable? it also seems like 500 shouldn't be cacheable at all. Is caching policy implemented consistently across browsers?
A 500 Internal Server Error is specified to be not cacheable by default. For reference see Section 6.1 of RFC 7231 and Section 6.6.1 500 Internal Server Error of RFC 7231. If a 500 would be cacheable by default, the spec would define that explicitly.
However, depending on explicit caching headers this behavior can be overridden and it totally can happen that a 500 response is being cached because Section 3 of RFC 7234 says, amongst other relevant things to your problem, this:
Note that any of the requirements listed above can be overridden by a cache-control extension;
My guess is that something has been messed up with caching headers in case of a 500 error.
To provoke caching of a 500 response one could try to set the public flag in the Cache-Control response header.