为什么在 HTTP 响应中应该同时使用 no-cache 和 no-store? [英] Why both no-cache and no-store should be used in HTTP response?

问题描述

我被告知要防止用户信息泄漏，仅响应无缓存"是不够的.no-store"也是必要的.

I'm told to prevent user-info leaking, only "no-cache" in response is not enough. "no-store" is also necessary.

Cache-Control: no-cache, no-store

阅读本规范后 http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html，我还是不太明白为什么.

After reading this spec http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html, I'm still not quite sure why.

我目前的理解是它只是用于中间缓存服务器.即使响应无缓存"，中间缓存服务器仍然可以将内容保存到非易失性存储中.中间缓存服务器将决定是否将保存的内容用于后续请求.但是，如果响应中包含no-store"，则中间缓存服务器不应存储内容.所以，它更安全.

My current understanding is that it is just for intermediate cache server. Even if "no-cache" is in response, intermediate cache server can still save the content to non-volatile storage. The intermediate cache server will decide whether using the saved content for following request. However, if "no-store" is in the response, the intermediate cache sever is not supposed to store the content. So, it is safer.

我们需要无缓存"和无存储"还有什么其他原因吗?

Is there any other reason we need both "no-cache" and "no-store"?

推荐答案

我必须澄清 no-cache 并不意味着 不缓存.实际上，它的意思是使用服务器重新验证".在使用您可能拥有的任何缓存响应之前，针对每个请求.

I must clarify that no-cache does not mean do not cache. In fact, it means "revalidate with server" before using any cached response you may have, on every request.

must-revalidate，另一方面，只有在资源被认为陈旧时才需要重新验证.

must-revalidate, on the other hand, only needs to revalidate when the resource is considered stale.

如果服务器说资源仍然有效，那么缓存可以用它的表示进行响应，从而减轻服务器重新发送整个资源的需要.

If the server says that the resource is still valid then the cache can respond with its representation, thus alleviating the need for the server to resend the entire resource.

no-store 实际上是完整的 do not cache 指令，旨在防止以任何形式的缓存存储表示.

no-store is effectively the full do not cache directive and is intended to prevent storage of the representation in any form of cache whatsoever.

我随便说，但请在 RFC 2616 HTTP 规范中注意这一点:

I say whatsoever, but note this in the RFC 2616 HTTP spec:

历史缓冲区可以存储这样的响应作为其正常操作的一部分

History buffers MAY store such responses as part of their normal operation

但是在较新的 RFC 7234 HTTP 规范中省略了这可能是为了使 no-store 更强大，请参阅:

But this is omitted from the newer RFC 7234 HTTP spec in potentially an attempt to make no-store stronger, see:

https://www.rfc-editor.org/rfc/rfc7234#section-5.2.1.5

这篇关于为什么在 HTTP 响应中应该同时使用 no-cache 和 no-store?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！