Skip to content

Add Cache-Control section and clarify caching directives#2092

Open
Artemiz0307 wants to merge 1 commit intoOWASP:masterfrom
Artemiz0307:patch-1
Open

Add Cache-Control section and clarify caching directives#2092
Artemiz0307 wants to merge 1 commit intoOWASP:masterfrom
Artemiz0307:patch-1

Conversation

@Artemiz0307
Copy link
Copy Markdown

@Artemiz0307 Artemiz0307 commented Mar 30, 2026

Added a Cache-Control section to the HTTP Headers Cheat Sheet.

This includes clear explanations of the no-store, no-cache, and private directives, along with recommendations for secure usage to prevent unintended caching of sensitive data.

@Artemiz0307
Add Cache-Control section and clarify caching directives
1959caa 
Added section on Cache-Control header with recommendations for sensitive content caching.
maheshkukreja
maheshkukreja reviewed Mar 31, 2026
View reviewed changes
Comment thread cheatsheets/HTTP_Headers_Cheat_Sheet.md
The `Referrer-Policy` HTTP header controls how much referrer information (sent via the Referer header) should be included with requests.



Copy link
Copy Markdown
Contributor

@maheshkukreja maheshkukreja Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small nit: looks like a couple of extra blank lines got added here. Was this intended?

Comment thread cheatsheets/HTTP_Headers_Cheat_Sheet.md
- `no-cache`: Allows the response to be stored, but requires the cache to revalidate with the server before using it. This ensures that stale data is not served.

- `private`: Allows caching only in the user’s browser, but prevents storage in shared caches such as proxies.

Copy link
Copy Markdown
Contributor

@maheshkukreja maheshkukreja Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RFC 9111 section 3.5 has specific rules about how shared caches must handle responses to requests containing an Authorization header. Since this section covers the private directive and shared caches, would it be helpful to add a note like: "Responses to requests with an Authorization header are not stored by shared caches unless explicitly allowed via public, must-revalidate, or s-maxage"? It's a common gotcha that catches people off guard

Comment thread cheatsheets/HTTP_Headers_Cheat_Sheet.md

- `no-cache`: Allows the response to be stored, but requires the cache to revalidate with the server before using it. This ensures that stale data is not served.

- `private`: Allows caching only in the user’s browser, but prevents storage in shared caches such as proxies.
Copy link
Copy Markdown
Contributor

@maheshkukreja maheshkukreja Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it make sense to add must-revalidate to the list as well? It's commonly paired with no-cache and private in practice, and without it some caches may serve stale responses after disconnecting from the origin. Something like: "must-revalidate: Once a cached response becomes stale, it must not be used without successful revalidation with the origin server."

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@maheshkukreja maheshkukreja maheshkukreja left review comments

@andrzejsydor andrzejsydor andrzejsydor approved these changes

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Artemiz0307 @maheshkukreja @andrzejsydor