I have a particular HTTP response which I don't want cached because it has private/sensitive data in it
I'm already setting Cache-Control to no-store, which should handle clients supporting HTTP/1.1.
How do I use the Expires header to do the same for HTTP/1.0? Should I just set it with an arbitrary timestamp from 1970 or something? Is there a special value to tell it never to cache?
The HTTP RFC says:
To mark a response as "already expired," an origin server sends an Expires date that is equal to the Date header value.
You should set the expires header to a date in the past. And you should also set the must-revalidate flag on the Cache-Control header.
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-control: no-cache, must-revalidate
You can find a good article dealing with caching issues on the doctype wiki:
Setting an Expires header in the past ensures that HTTP/1.0 and HTTP/1.1 proxies and browsers will not cache the content. The Cache-control directive also tells HTTP/1.1 proxies not to cache the content. Even if proxies may be configured to return stale content when they should not, the must-revalidate re-affirms that they SHOULD NOT do it.