We should quit using the Pragma: no-cache response header

This article is already over 5 years old, and yet we still have security guidance that we should be including Pragma: no-cache as an HTTP response header, even though it’s deprecated and its replacement has been available and used by every browser created this century: the far-more-configurable Cache-Control header.

I haven’t been able to find a use case where the Pragma: no-cache header is needed if you are setting the Cache-Control header properly. So why are security guidelines and scanning tools still harping on this?

Leave a Reply

Your email address will not be published. Required fields are marked *