The correct minimum set of headers that works across the most important browsers:
Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Expires: 0
Where:
Cache-Control
is for HTTP 1.1Pragma
is for HTTP 1.0Expires
is for proxies
For the Web Pages (HTML) add the following <meta>
tags to the page(s) you want to keep browsers from caching (the code must be in the <head>
section of your page, for example right after <title>
tag):
<meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" /> <meta http-equiv="Pragma" content="no-cache" /> <meta http-equiv="Expires" content="0" />
.htaccess (Apache)
<IfModule mod_headers.c> Header set Cache-Control "no-cache, no-store, must-revalidate" Header set Pragma "no-cache" Header set Expires 0 </IfModule>
PHP
header('Cache-Control: no-cache, no-store, must-revalidate'); header('Pragma: no-cache'); header('Expires: 0');
Java Servlet
response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); response.setHeader("Pragma", "no-cache"); response.setDateHeader("Expires", 0);
ASP
Response.addHeader "Cache-Control", "no-cache, no-store, must-revalidate" Response.addHeader "Pragma", "no-cache" Response.addHeader "Expires", "0"
ASP.NET
Response.AppendHeader("Cache-Control", "no-cache, no-store, must-revalidate"); Response.AppendHeader("Pragma", "no-cache"); Response.AppendHeader("Expires", "0");
Ruby on Rails
response.headers['Cache-Control'] = 'no-cache, no-store, must-revalidate' response.headers['Pragma'] = 'no-cache' response.headers['Expires'] = '0'
Python on Flask
resp.headers["Cache-Control"] = "no-cache, no-store, must-revalidate" resp.headers["Pragma"] = "no-cache" resp.headers["Expires"] = "0"
Google Go
responseWriter.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate") responseWriter.Header().Set("Pragma", "no-cache") responseWriter.Header().Set("Expires", "0")
Resources