What Is Cache-Control Header and Why Do We Need It?
Hello everyone, I am happy that you are here to learn something new again.
If you have been in the cyber security/Bug Bounty for quite a time, you know how important it is to understand Security Header’s.
So now let’s understand what cache-control is and why we really need this header.
Cache = an auxiliary memory from which high-speed retrieval is possible (Google Dictionary Meaning).
The cache is actually very important to render your website fast and make your interaction smooth, as it makes a temporary memory of your past interaction with the website.
When someone visits a website, their browser will save certain resources, such as images and website data, in a store called the cache. When that user revisits the same website, cache-control sets the rules which determine whether that user will have those resources loaded from their local cache, or whether the browser will have to send a request to the server for fresh resources.
Cache-Control is an HTTP header used to specify browser caching policies in both client requests and server responses. Policies include how a resource is cached, where it’s cached, and its maximum age before expiring (i.e., time to live).
Browsers will only store these resources for a specified period of time, known as the time to live (TTL). If a user requests a cached resource after the TTL has expired, the browser will have to reach out to the server again and download a fresh copy of the resource.
Headers consist of key-value pairs which are separated by a colon. For cache-control, the ‘key’, or the part to the left of the colon, is always ‘cache-control’. The ‘value’ is what’s found on the right of the colon, and there can be one or several comma-separated values for cache control.
These values are called directives, and they dictate who can cache a resource as well as how long those resources can be cached before they must be updated.
Below we go through some of the most common cache-control directives:
1. Cache-Control : Private = Private caches are the ones that are supposed to be used by a single user. Typically, this is the web browser’s cache. CDN and reverse-proxies on the contrary, handle requests coming from multiple users.
2. Cache-Control : Public = The ‘public’ directive means the resource can be stored by any cache.
3. Cache-Control : No-Store, No-Cache, Must-Revalidate = Unlike max-age, the no-store, no-cache, and must-revalidate directives are about instructing caches to not cache a resource. ( Cache-Control: no-cache, no-store, max-age=0, must-revalidate )
4. Cache-Control : Max-Age = Allows a server to specify the lifetime of a representation. It is expressed in seconds. For instance, if a cache sees a response containing the header Cache-Control: max-age=3600, it is allowed to store and serve the same response for all subsequent requests for this resource for the next 3600 seconds.
5. Cache-Control : S-Maxage = The s-maxage directive is like the max-age directive, except that it only applies to public caches, which are also referred to as shared caches (hence the s- prefix). If both directives are present, s-maxage will take precedence over max-age on public caches and be ignored on private ones.
Why does cache-control matter?
Cache-Control is a powerful HTTP header for speeding up websites and increasing the user experience on the Internet with a browser and intermediary cache. Although its ability to increase website speed is not its only feature, it is also quite useful to help make private information less vulnerable. The settings you choose to apply to the Cache-Control directives depend on the nature of the information being delivered and the desired expiration time of those assets.
Damm wasn't this a little bit confusing and long? Don’t worry after understanding this, you won’t be needing any further explanation from anyone.
