Home/ Questions/Q 6208555
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T05:49:43+00:00

I have a particular HTTP response which I don’t want cached because it has

  • 0

I have a particular HTTP response which I don’t want cached because it has private/sensitive data in it

I’m already setting Cache-Control to no-store,
which should handle clients supporting HTTP/1.1.

How do I use the Expires header to do the same for HTTP/1.0? Should I just set it with an arbitrary timestamp from 1970 or something? Is there a special value to tell it never to cache?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The HTTP RFC says:

    To mark a response as “already expired,” an origin server sends an Expires date that is equal to the Date header value.

    You should set the expires header to a date in the past. And you should also set the must-revalidate flag on the Cache-Control header.

    Expires: Fri, 01 Jan 1990 00:00:00 GMT
    Cache-control: no-cache, must-revalidate

    You can find a good article dealing with caching issues on the doctype wiki:

    Setting an Expires header in the past ensures that HTTP/1.0 and
    HTTP/1.1 proxies and browsers will not cache the content. The
    Cache-control directive also tells HTTP/1.1 proxies not to cache the
    content. Even if proxies may be configured to return stale content
    when they should not, the must-revalidate re-affirms that they SHOULD
    NOT do it.

    • 0