为什么在HTTP响应中应该使用no-cache和no-store？ [英] Why both no-cache and no-store should be used in HTTP response?

问题描述

我被告知要防止用户信息泄露，只有no-cache响应是不够的。 no-store也是必要的。

I'm told to prevent user-info leaking, only "no-cache" in response is not enough. "no-store" is also necessary.

Cache-Control: no-cache, no-store

阅读本规范 http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html ，我仍然不太确定原因。

After reading this spec http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html, I'm still not quite sure why.

我目前的理解是它只适用于中间缓存服务器。即使无缓存作为响应，中间缓存服务器仍然可以将内容保存到非易失性存储。中间缓存服务器将决定是否使用保存的内容进行后续请求。但是，如果响应中存在no-store，则不应该在中间缓存服务器上存储内容。所以，它更安全。

My current understanding is that it is just for intermediate cache server. Even if "no-cache" is in response, intermediate cache server can still save the content to non-volatile storage. The intermediate cache server will decide whether using the saved content for following request. However, if "no-store" is in the response, the intermediate cache sever is not supposed to store the content. So, it is safer.

还有其他原因我们需要no-cache和no-store吗？

Is there any other reason we need both "no-cache" and "no-store"?

推荐答案

我必须澄清 no-cache 并不意味着不缓存。事实上，它意味着在使用任何缓存的响应之前对每个请求进行重新验证服务器。

I must clarify that no-cache does not mean do not cache. In fact, it means "revalidate with server" before using any cached response you may have, on every request.

必须重新验证只需要在资源被认为是陈旧时重新验证。

must-revalidate, on the other hand, only needs to revalidate when the resource is considered stale.

如果服务器说资源仍然有效，那么缓存可以响应其表示，从而减轻服务器重新发送整个资源的需要。

If the server says that the resource is still valid then the cache can respond with its representation, thus alleviating the need for the server to resend the entire resource.

no-store 是有效地完整不缓存指令，旨在防止表示以任何形式的缓存存储。

no-store is effectively the full do not cache directive and is intended to prevent storage of the representation in any form of cache whatsoever.

我说什么，但是注意这在RFC 2616 HTTP规范中：

I say whatsoever, but note this in the RFC 2616 HTTP spec:

历史缓冲区可以将这些响应存储为正常操作的一部分

History buffers MAY store such responses as part of their normal operation

但是这可以从较新的RFC 7234 HTTP规范中省略，可能试图使 no-store 更强，见：

But this is ommitted from the newer RFC 7234 HTTP spec in potentially an attempt to make no-store stronger, see:

http://tools.ietf.org/html/rfc7234#section-5.2.1.5

这篇关于为什么在HTTP响应中应该使用no-cache和no-store？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！