Controlling cache headers

Cache headers play an important role for your users' privacy if you're running a secure website. Browsers tend to cache web pages for easy retrieval and later display. Browser caching is an important mechanism to "speed up" the Internet by avoiding unnecessary round trips to the server to fetch unchanged content. However, if you website serves sensitive data, you might want to instruct the browser to reload pages instead of serving them from cache.

NWebsec lets you instruct the browser to reload pages when the user is navigating with the back and forward buttons by setting the following headers:

Cache-Control: no-cache, no-store, must-revalidate
Expires: -1
Pragma: no-cache

To learn how to set these headers with NWebsec, see Configuring cache headers on the project website.

To experiment with various combinations of cache headers, see Cache testing on this site.

Further reading

You can read an excellent write-up on the issues related to browser cache and history on Opera's Yngve Pettersen's blog: Introducing Cache Contexts, or: Why the browser does not know you are logged out.

See the Caching in HTTP section of the HTTP 1.1 specification, it contains all the details about caching. Here's a direct link to the Cache-Control header.

Microsoft explains how to set these headers in ASP.NET using the HttpCachePolicy.SetAllowResponseInBrowserHistory method on a reponse's cachepolicy.