Just use `no-store` about fastify-disablecache HOT 4 CLOSED

Hi @Jxck,

In response to your questions regarding headers and their directives/values:

• Pragma is still supported because it was used by Microsoft as a response header in old versions of IE
• Expires is still supported in order to disable caching for old clients that adhered to the HTTP 1.0 spec, when Cache-Control was not a thing

Working in the public health sector in the UK I have to ensure backwards compatibility as much as possible, because not everyone is accessing sites using the latest version of Chrome, Edge, or Firefox. We still have people using Internet Explorer 5, and we cannot exclude them from accessing web-based health services because of that. As such, these headers will continue to be included.

from fastify-disablecache.

@Fdawgs Thanks for reply !

Oh it's much interesting if you have specific reason to do this. Yes backward compatible is important and service should allow various user.

Working in the public health sector in the UK

That seems real usecase what I want. Could you share a URL for it ?

my interest here is once keep compatible with such a old browsers, it really works on every aspects ? for example is it possible to build html+css+js contents compatible for IE5? they only implements HTTP/1.0 which doesn't supports Host based virtual host , content-negotiation. Aslo it only supports TLS1.0 or SSL3.0 (maybe), It really could establish a connection in correct cipher suite, and CA certificate ? It doesn't cause a security incident? etc etc etc

In recently deployment, for example using Fastify ! its soooo hard to support http/1.0, tls/1.0, html4, js?? client. I wonder it doesn't work (event could not establish access). So I'm so interested in your work !

On the other hand, sometimes access.log shows phantom entry which shows unbelievable user-agent from phantom old client. its mystery of internet.
If you consider "old browser user exists" based on access logs, I recommend you to check such a client could really works on your site. If it doesn't, it already lost compatible for them, so adding backward caching headers are only waste of bytes.
(I don't know how can I install IE5 to recent machines, VM?)

from fastify-disablecache.

@Jxck, just to let you know I'm investigating using only no-store in this plugin.

You may also want to raise this in OWASP's repos, as they also use more than just the no-store directive:

https://github.com/OWASP/www-project-secure-headers

from fastify-disablecache.

Okay, having done further testing, only using no-store is not feasible for backwards compatibility.
Internet Explorer uses the no-cache directive to prevent caching, not no-store as it should. max-age=0, must-revalidate functions the same as no-cache and stops caching for even older clients.

Also see https://blog.httpwatch.com/2008/10/15/two-important-differences-between-firefox-and-ie-caching/

from fastify-disablecache.