Isn´t no-cache, no-store enough to prevent browsers and proxies to cache?

Question

I like to prevent any caching what and where so ever and has a response header with control-cache: private, proxy-revalidate, no-cache, no-store

But it seem to much, isn´t no-cache, no-store enough to prevent browsers and proxies to cache?

Answer 1

Nope; nothing is guaranteed to work. If your data flows through/into that machine, it has the option to store it no matter what headers you set. That's not to say that every machine will, but all you're doing is asking nicely and hoping the software you're asking to will comply with your wishes. It's perfectly possible for that software to completely ignore your request and store the data anyway. If you don't want interim servers to be able to see the data, encrypt it, but if you're hoping to prevent the end client machine from keeping a copy of what you send it, you could well be out of luck

The only way to guarantee preventing a machine from storing some particular data is to never send that data to the machine, at all (which I'll admit, doesn't make for a very useful application in a lot of cases)

Answer 2

The best practice here is to set your response header as:

cache-control: no-cache, no-store, must-revalidate

This should give you a peace of mind.