Prerequisites

• I have written a descriptive title

• I have searched existing feature requests to ensure it has not already been proposed

• I agree to follow the Code of Conduct that this project adheres to

Description

For posterity, TypeScript support should be added.
This will open this plugin up to more users.

Prerequisites

• I have written a descriptive issue title

• I have searched existing issues to ensure it has not already been reported

• I agree to follow the Code of Conduct that this project adheres to

API/app/plugin version

all

Node.js version

all

Operating system

Linux

Operating system version (i.e. 20.04, 11.3, 10)

all

Description

Hi Team.

Recentry I rewrited https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control section which linked by README. under reviewing of HTTP experts (chair of HTTP working group).

I rewirted misunderstanding of "don't cache". just use no-store.

But if you have some evidence of no-store does not works as expected. I wanna seriously know the case.

(FYI: original implementation of helmetjs author also doesn't has evidence of realworld problem helmetjs/nocache#19 (comment))

Below are my thought for this library. Any commnets are welcome.

from the point of standards view.

If you wanna "don't store this response to any caches", just add no-store.

Cache-Control: no-store, max-age=0, must-revalidate

in this line, no-store is most restrictive directives and others are ignored. just wast of bytes.
if implementation respect others, max-age=0, must-revalidate means "allow to store but revalidate after being stale", so it allows store to the cache.

Pragma: no-cache

Pragma is deprecated for now. and it's for Request header, not for Response.
https://httpwg.org/http-core/draft-ietf-httpbis-cache-latest.html#rfc.section.5.4

Expires: 0

Expire is ignored once Cache-Control exists. But if it works, it requires Date formatted value.
Once the value is invalid format, it's ignored. so 0 is valid for current spec. But I feel it's better to add valid date but past when you think it required (I don't think so).

So for now, below are reasonable.

Surrogate-Control: no-store
Cache-Control: no-store

(I don't think Surrogate-Control are required, because Cache-Control could cover it)

Steps to Reproduce

N/A

Expected Behaviour

No response

I'd recommend dropping nocache as it's a fairly simple implementation, see https://github.com/helmetjs/nocache/blob/dba4c205867e77be4b55537b0844c7ea9ebc6c5a/index.ts#L9-L15. This would also be more performant as res.setHeader() is a known bottleneck (use reply.header() instead).

• Mention backwards compat with old browsers for cache-control
• Remove links to MDN and use direct links to spec where possible

Is your feature request related to a problem? Please describe.
Yes. When using max-age=0 without must-revalidate, then the server may serve stale resource if the server is down or loses connectivity.

Describe the solution you'd like
Add must-revalidate to the Cache-Control header.

Describe alternatives you've considered
None.

Additional context
None.

Is your feature request related to a problem? Please describe.
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data

It is at an experimental stage at present. Once standardised, then it can be added.