Content Cacheability

Improper cache configuration can lead to sensitive data leakage when personal or session-specific information is stored in shared proxy caches. Attackers or unauthorized users can retrieve cached responses containing authentication tokens, personal data, or user-specific content by making similar requests through the same proxy infrastructure. In corporate or educational environments with shared caching proxies, one user may receive cached responses containing another user’s sensitive data, potentially leading to session hijacking or privacy breaches. Conversely, overly restrictive caching of public resources degrades performance unnecessarily.

The content may be marked as storable by ensuring that the following conditions are satisfied: The request method must be understood by the cache and defined as being cacheable ("GET", "HEAD", and "POST" are currently defined as cacheable) The response status code must be understood by the cache (one of the 1XX, 2XX, 3XX, 4XX, or 5XX response classes are generally understood) The "no-store" cache directive must not appear in the request or response header fields For caching by "shared" caches such as "proxy" caches, the "private" response directive must not appear in the response For caching by "shared" caches such as "proxy" caches, the "Authorization" header field must not appear in the request, unless the response explicitly allows it (using one of the "must-revalidate", "public", or "s-maxage" Cache-Control response directives) In addition to the conditions above, at least one of the following conditions must also be satisfied by the response: It must contain an "Expires" header field It must contain a "max-age" response directive For "shared" caches such as "proxy" caches, it must contain a "s-maxage" response directive It must contain a "Cache Control Extension" that allows it to be cached It must have a status code that is defined as cacheable by default (200, 203, 204, 206, 300, 301, 404, 405, 410, 414, 501).