idnits 2.17.1 draft-ietf-httpbis-p6-cache-22.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. -- The draft header indicates that this document obsoletes RFC2616, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to contain a disclaimer for pre-RFC5378 work, and may have content which was first submitted before 10 November 2008. The disclaimer is necessary when there are original authors that you have been unable to contact, or if some do not wish to grant the BCP78 rights to the IETF Trust. If you are able to get all authors (current and original) to grant those rights, you can and should remove the disclaimer; otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 23, 2013) is 4080 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-26) exists of draft-ietf-httpbis-p1-messaging-22 == Outdated reference: A later version (-26) exists of draft-ietf-httpbis-p2-semantics-22 == Outdated reference: A later version (-26) exists of draft-ietf-httpbis-p4-conditional-22 == Outdated reference: A later version (-26) exists of draft-ietf-httpbis-p5-range-22 == Outdated reference: A later version (-26) exists of draft-ietf-httpbis-p7-auth-22 -- Obsolete informational reference (is this intentional?): RFC 1305 (Obsoleted by RFC 5905) -- Obsolete informational reference (is this intentional?): RFC 2616 (Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235) -- Obsolete informational reference (is this intentional?): RFC 5226 (Obsoleted by RFC 8126) Summary: 0 errors (**), 0 flaws (~~), 7 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTPbis Working Group R. Fielding, Ed. 3 Internet-Draft Adobe 4 Obsoletes: 2616 (if approved) M. Nottingham, Ed. 5 Intended status: Standards Track Akamai 6 Expires: August 27, 2013 J. Reschke, Ed. 7 greenbytes 8 February 23, 2013 10 Hypertext Transfer Protocol (HTTP/1.1): Caching 11 draft-ietf-httpbis-p6-cache-22 13 Abstract 15 The Hypertext Transfer Protocol (HTTP) is an application-level 16 protocol for distributed, collaborative, hypertext information 17 systems. This document defines requirements on HTTP caches and the 18 associated header fields that control cache behavior or indicate 19 cacheable response messages. 21 Editorial Note (To be removed by RFC Editor) 23 Discussion of this draft takes place on the HTTPBIS working group 24 mailing list (ietf-http-wg@w3.org), which is archived at 25 . 27 The current issues list is at 28 and related 29 documents (including fancy diffs) can be found at 30 . 32 The changes in this draft are summarized in Appendix D.3. 34 Status of This Memo 36 This Internet-Draft is submitted in full conformance with the 37 provisions of BCP 78 and BCP 79. 39 Internet-Drafts are working documents of the Internet Engineering 40 Task Force (IETF). Note that other groups may also distribute 41 working documents as Internet-Drafts. The list of current Internet- 42 Drafts is at http://datatracker.ietf.org/drafts/current/. 44 Internet-Drafts are draft documents valid for a maximum of six months 45 and may be updated, replaced, or obsoleted by other documents at any 46 time. It is inappropriate to use Internet-Drafts as reference 47 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on August 27, 2013. 50 Copyright Notice 52 Copyright (c) 2013 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents 57 (http://trustee.ietf.org/license-info) in effect on the date of 58 publication of this document. Please review these documents 59 carefully, as they describe your rights and restrictions with respect 60 to this document. Code Components extracted from this document must 61 include Simplified BSD License text as described in Section 4.e of 62 the Trust Legal Provisions and are provided without warranty as 63 described in the Simplified BSD License. 65 This document may contain material from IETF Documents or IETF 66 Contributions published or made publicly available before November 67 10, 2008. The person(s) controlling the copyright in some of this 68 material may not have granted the IETF Trust the right to allow 69 modifications of such material outside the IETF Standards Process. 70 Without obtaining an adequate license from the person(s) controlling 71 the copyright in such materials, this document may not be modified 72 outside the IETF Standards Process, and derivative works of it may 73 not be created outside the IETF Standards Process, except to format 74 it for publication as an RFC or to translate it into languages other 75 than English. 77 Table of Contents 79 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 80 1.1. Purpose . . . . . . . . . . . . . . . . . . . . . . . . . 4 81 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 82 1.3. Conformance and Error Handling . . . . . . . . . . . . . . 6 83 1.4. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 6 84 1.4.1. Delta Seconds . . . . . . . . . . . . . . . . . . . . 6 85 2. Overview of Cache Operation . . . . . . . . . . . . . . . . . 6 86 3. Storing Responses in Caches . . . . . . . . . . . . . . . . . 7 87 3.1. Storing Incomplete Responses . . . . . . . . . . . . . . . 8 88 3.2. Storing Responses to Authenticated Requests . . . . . . . 9 89 4. Constructing Responses from Caches . . . . . . . . . . . . . . 9 90 4.1. Freshness Model . . . . . . . . . . . . . . . . . . . . . 10 91 4.1.1. Calculating Freshness Lifetime . . . . . . . . . . . . 11 92 4.1.2. Calculating Heuristic Freshness . . . . . . . . . . . 12 93 4.1.3. Calculating Age . . . . . . . . . . . . . . . . . . . 12 94 4.1.4. Serving Stale Responses . . . . . . . . . . . . . . . 14 95 4.2. Validation Model . . . . . . . . . . . . . . . . . . . . . 15 96 4.2.1. Freshening Responses with 304 Not Modified . . . . . . 16 97 4.3. Using Negotiated Responses . . . . . . . . . . . . . . . . 17 98 4.4. Combining Partial Content . . . . . . . . . . . . . . . . 17 99 5. Updating Caches with HEAD Responses . . . . . . . . . . . . . 18 100 6. Request Methods that Invalidate . . . . . . . . . . . . . . . 19 101 7. Header Field Definitions . . . . . . . . . . . . . . . . . . . 19 102 7.1. Age . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 103 7.2. Cache-Control . . . . . . . . . . . . . . . . . . . . . . 20 104 7.2.1. Request Cache-Control Directives . . . . . . . . . . . 20 105 7.2.2. Response Cache-Control Directives . . . . . . . . . . 22 106 7.2.3. Cache Control Extensions . . . . . . . . . . . . . . . 26 107 7.3. Expires . . . . . . . . . . . . . . . . . . . . . . . . . 27 108 7.4. Pragma . . . . . . . . . . . . . . . . . . . . . . . . . . 28 109 7.5. Warning . . . . . . . . . . . . . . . . . . . . . . . . . 29 110 7.5.1. 110 Response is Stale . . . . . . . . . . . . . . . . 30 111 7.5.2. 111 Revalidation Failed . . . . . . . . . . . . . . . 30 112 7.5.3. 112 Disconnected Operation . . . . . . . . . . . . . . 30 113 7.5.4. 113 Heuristic Expiration . . . . . . . . . . . . . . . 30 114 7.5.5. 199 Miscellaneous Warning . . . . . . . . . . . . . . 31 115 7.5.6. 214 Transformation Applied . . . . . . . . . . . . . . 31 116 7.5.7. 299 Miscellaneous Persistent Warning . . . . . . . . . 31 117 7.5.8. Warn Code Extensions . . . . . . . . . . . . . . . . . 31 118 8. History Lists . . . . . . . . . . . . . . . . . . . . . . . . 31 119 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 120 9.1. Cache Directive Registry . . . . . . . . . . . . . . . . . 32 121 9.2. Warn Code Registry . . . . . . . . . . . . . . . . . . . . 32 122 9.3. Header Field Registration . . . . . . . . . . . . . . . . 33 123 10. Security Considerations . . . . . . . . . . . . . . . . . . . 33 124 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 34 125 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 34 126 12.1. Normative References . . . . . . . . . . . . . . . . . . . 34 127 12.2. Informative References . . . . . . . . . . . . . . . . . . 35 128 Appendix A. Changes from RFC 2616 . . . . . . . . . . . . . . . . 35 129 Appendix B. Imported ABNF . . . . . . . . . . . . . . . . . . . . 37 130 Appendix C. Collected ABNF . . . . . . . . . . . . . . . . . . . 38 131 Appendix D. Change Log (to be removed by RFC Editor before 132 publication) . . . . . . . . . . . . . . . . . . . . 39 133 D.1. Since draft-ietf-httpbis-p6-cache-19 . . . . . . . . . . . 39 134 D.2. Since draft-ietf-httpbis-p6-cache-20 . . . . . . . . . . . 39 135 D.3. Since draft-ietf-httpbis-p6-cache-21 . . . . . . . . . . . 40 136 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 138 1. Introduction 140 HTTP is typically used for distributed information systems, where 141 performance can be improved by the use of response caches. This 142 document defines aspects of HTTP/1.1 related to caching and reusing 143 response messages. 145 1.1. Purpose 147 An HTTP cache is a local store of response messages and the subsystem 148 that controls its message storage, retrieval, and deletion. A cache 149 stores cacheable responses in order to reduce the response time and 150 network bandwidth consumption on future, equivalent requests. Any 151 client or server MAY employ a cache, though a cache cannot be used by 152 a server that is acting as a tunnel. 154 The goal of caching in HTTP/1.1 is to significantly improve 155 performance by reusing a prior response message to satisfy a current 156 request. A stored response is considered "fresh", as defined in 157 Section 4.1, if the response can be reused without "validation" 158 (checking with the origin server to see if the cached response 159 remains valid for this request). A fresh cache response can 160 therefore reduce both latency and network transfers each time it is 161 reused. When a cached response is not fresh, it might still be 162 reusable if it can be freshened by validation (Section 4.2) or if the 163 origin is unavailable. 165 1.2. Terminology 167 This specification uses a number of terms to refer to the roles 168 played by participants in, and objects of, HTTP caching. 170 cache 172 A conformant implementation of an HTTP cache. Note that this 173 implies an HTTP/1.1 cache; this specification does not define 174 conformance for HTTP/1.0 caches. 176 shared cache 178 A cache that stores responses to be reused by more than one user; 179 usually (but not always) deployed as part of an intermediary. 181 private cache 183 A cache that is dedicated to a single user. 185 cacheable 187 A response is cacheable if a cache is allowed to store a copy of 188 the response message for use in answering subsequent requests. 189 Even when a response is cacheable, there might be additional 190 constraints on whether a cache can use the stored copy to satisfy 191 a particular request. 193 explicit expiration time 195 The time at which the origin server intends that a stored response 196 no longer be used by a cache without further validation. 198 heuristic expiration time 200 An expiration time assigned by a cache when no explicit expiration 201 time is available. 203 age 205 The age of a response is the time since it was sent by, or 206 successfully validated with, the origin server. 208 first-hand 210 A response is first-hand if the freshness model is not in use; 211 i.e., its age is 0. 213 freshness lifetime 215 The length of time between the generation of a response and its 216 expiration time. 218 fresh 220 A response is fresh if its age has not yet exceeded its freshness 221 lifetime. 223 stale 225 A response is stale if its age has passed its freshness lifetime 226 (either explicit or heuristic). 228 validator 230 A protocol element (e.g., an entity-tag or a Last-Modified time) 231 that is used to find out whether a stored response is an 232 equivalent copy of a representation. See Section 2.1 of [Part4]. 234 strong validator 236 A validator that is defined by the origin server such that its 237 current value will change if the representation data changes; 238 i.e., an entity-tag that is not marked as weak (Section 2.3 of 239 [Part4]) or, if no entity-tag is provided, a Last-Modified value 240 that is strong in the sense defined by Section 2.2.2 of [Part4]. 242 1.3. Conformance and Error Handling 244 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 245 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 246 document are to be interpreted as described in [RFC2119]. 248 Conformance criteria and considerations regarding error handling are 249 defined in Section 2.5 of [Part1]. 251 1.4. Syntax Notation 253 This specification uses the Augmented Backus-Naur Form (ABNF) 254 notation of [RFC5234] with the list rule extension defined in Section 255 1.2 of [Part1]. Appendix B describes rules imported from other 256 documents. Appendix C shows the collected ABNF with the list rule 257 expanded. 259 1.4.1. Delta Seconds 261 The delta-seconds rule specifies a non-negative integer, representing 262 time in seconds. 264 delta-seconds = 1*DIGIT 266 If an implementation receives a delta-seconds value larger than the 267 largest positive integer it can represent, or if any of its 268 subsequent calculations overflows, it MUST consider the value to be 269 2147483648 (2^31). Recipients parsing a delta-seconds value MUST use 270 an arithmetic type of at least 31 bits of range, and senders MUST NOT 271 send delta-seconds with a value greater than 2147483648. 273 2. Overview of Cache Operation 275 Proper cache operation preserves the semantics of HTTP transfers 276 ([Part2]) while eliminating the transfer of information already held 277 in the cache. Although caching is an entirely OPTIONAL feature of 278 HTTP, we assume that reusing the cached response is desirable and 279 that such reuse is the default behavior when no requirement or 280 locally-desired configuration prevents it. Therefore, HTTP cache 281 requirements are focused on preventing a cache from either storing a 282 non-reusable response or reusing a stored response inappropriately. 284 Each cache entry consists of a cache key and one or more HTTP 285 responses corresponding to prior requests that used the same key. 286 The most common form of cache entry is a successful result of a 287 retrieval request: i.e., a 200 (OK) response to a GET request, which 288 contains a representation of the resource identified by the request 289 target (Section 4.3.1 of [Part2]). However, it is also possible to 290 cache permanent redirects, negative results (e.g., 404 (Not Found)), 291 incomplete results (e.g., 206 (Partial Content)), and responses to 292 methods other than GET if the method's definition allows such caching 293 and defines something suitable for use as a cache key. 295 The default cache key consists of the request method and target URI. 296 However, since HTTP caches in common use today are typically limited 297 to caching responses to GET, many implementations simply decline 298 other methods and use only the URI as the key. 300 If a request target is subject to content negotiation, its cache 301 entry might consist of multiple stored responses, each differentiated 302 by a secondary key for the values of the original request's selecting 303 header fields (Section 4.3). 305 3. Storing Responses in Caches 307 A cache MUST NOT store a response to any request, unless: 309 o The request method is understood by the cache and defined as being 310 cacheable, and 312 o the response status code is understood by the cache, and 314 o the "no-store" cache directive (see Section 7.2) does not appear 315 in request or response header fields, and 317 o the "private" cache response directive (see Section 7.2.2.2) does 318 not appear in the response, if the cache is shared, and 320 o the Authorization header field (see Section 4.1 of [Part7]) does 321 not appear in the request, if the cache is shared, unless the 322 response explicitly allows it (see Section 3.2), and 324 o the response either: 326 * contains an Expires header field (see Section 7.3), or 328 * contains a max-age response cache directive (see 329 Section 7.2.2.7), or 331 * contains a s-maxage response cache directive and the cache is 332 shared, or 334 * contains a Cache Control Extension (see Section 7.2.3) that 335 allows it to be cached, or 337 * has a status code that is defined as cacheable (see 338 Section 4.1.2), or 340 * contains a public response cache directive (see 341 Section 7.2.2.1). 343 Note that any of the requirements listed above can be overridden by a 344 cache-control extension; see Section 7.2.3. 346 In this context, a cache has "understood" a request method or a 347 response status code if it recognizes it and implements any cache- 348 specific behavior. 350 Note that, in normal operation, many caches will not store a response 351 that has neither a cache validator nor an explicit expiration time, 352 as such responses are not usually useful to store. However, caches 353 are not prohibited from storing such responses. 355 3.1. Storing Incomplete Responses 357 A response message is considered complete when all of the octets 358 indicated by the message framing ([Part1]) are received prior to the 359 connection being closed. If the request is GET, the response status 360 is 200 (OK), and the entire response header block has been received, 361 a cache MAY store an incomplete response message body if the cache 362 entry is recorded as incomplete. Likewise, a 206 (Partial Content) 363 response MAY be stored as if it were an incomplete 200 (OK) cache 364 entry. However, a cache MUST NOT store incomplete or partial content 365 responses if it does not support the Range and Content-Range header 366 fields or if it does not understand the range units used in those 367 fields. 369 A cache MAY complete a stored incomplete response by making a 370 subsequent range request ([Part5]) and combining the successful 371 response with the stored entry, as defined in Section 4.4. A cache 372 MUST NOT use an incomplete response to answer requests unless the 373 response has been made complete or the request is partial and 374 specifies a range that is wholly within the incomplete response. A 375 cache MUST NOT send a partial response to a client without explicitly 376 marking it as such using the 206 (Partial Content) status code. 378 3.2. Storing Responses to Authenticated Requests 380 A shared cache MUST NOT use a cached response to a request with an 381 Authorization header field (Section 4.1 of [Part7]) to satisfy any 382 subsequent request unless a cache directive that allows such 383 responses to be stored is present in the response. 385 In this specification, the following Cache-Control response 386 directives (Section 7.2.2) have such an effect: must-revalidate, 387 public, s-maxage. 389 Note that cached responses that contain the "must-revalidate" and/or 390 "s-maxage" response directives are not allowed to be served stale 391 (Section 4.1.4) by shared caches. In particular, a response with 392 either "max-age=0, must-revalidate" or "s-maxage=0" cannot be used to 393 satisfy a subsequent request without revalidating it on the origin 394 server. 396 4. Constructing Responses from Caches 398 For a presented request, a cache MUST NOT send a stored response, 399 unless: 401 o The presented effective request URI (Section 5.5 of [Part1]) and 402 that of the stored response match, and 404 o the request method associated with the stored response allows it 405 to be used for the presented request, and 407 o selecting header fields nominated by the stored response (if any) 408 match those presented (see Section 4.3), and 410 o the presented request does not contain the no-cache pragma 411 (Section 7.4), nor the no-cache cache directive (Section 7.2.1), 412 unless the stored response is successfully validated 413 (Section 4.2), and 415 o the stored response does not contain the no-cache cache directive 416 (Section 7.2.2.3), unless it is successfully validated 417 (Section 4.2), and 419 o the stored response is either: 421 * fresh (see Section 4.1), or 423 * allowed to be served stale (see Section 4.1.4), or 424 * successfully validated (see Section 4.2). 426 Note that any of the requirements listed above can be overridden by a 427 cache-control extension; see Section 7.2.3. 429 When a stored response is used to satisfy a request without 430 validation, a cache MUST send a single Age header field (Section 7.1) 431 in the response with a value equal to the stored response's 432 current_age; see Section 4.1.3. 434 A cache MUST write through requests with methods that are unsafe 435 (Section 4.2.1 of [Part2]) to the origin server; i.e., a cache is not 436 allowed to generate a reply to such a request before having forwarded 437 the request and having received a corresponding response. 439 Also, note that unsafe requests might invalidate already stored 440 responses; see Section 6. 442 When more than one suitable response is stored, a cache MUST use the 443 most recent response (as determined by the Date header field). It 444 can also forward a request with "Cache-Control: max-age=0" or "Cache- 445 Control: no-cache" to disambiguate which response to use. 447 A cache that does not have a clock available MUST NOT use stored 448 responses without revalidating them on every use. 450 4.1. Freshness Model 452 When a response is "fresh" in the cache, it can be used to satisfy 453 subsequent requests without contacting the origin server, thereby 454 improving efficiency. 456 The primary mechanism for determining freshness is for an origin 457 server to provide an explicit expiration time in the future, using 458 either the Expires header field (Section 7.3) or the max-age response 459 cache directive (Section 7.2.2.7). Generally, origin servers will 460 assign future explicit expiration times to responses in the belief 461 that the representation is not likely to change in a semantically 462 significant way before the expiration time is reached. 464 If an origin server wishes to force a cache to validate every 465 request, it can assign an explicit expiration time in the past to 466 indicate that the response is already stale. Compliant caches will 467 normally validate a stale cached response before reusing it for 468 subsequent requests (see Section 4.1.4). 470 Since origin servers do not always provide explicit expiration times, 471 caches are also allowed to use a heuristic to determine an expiration 472 time under certain circumstances (see Section 4.1.2). 474 The calculation to determine if a response is fresh is: 476 response_is_fresh = (freshness_lifetime > current_age) 478 The freshness_lifetime is defined in Section 4.1.1; the current_age 479 is defined in Section 4.1.3. 481 Clients can send the max-age or min-fresh cache directives in a 482 request to constrain or relax freshness calculations for the 483 corresponding response (Section 7.2.1). 485 Note that freshness applies only to cache operation; it cannot be 486 used to force a user agent to refresh its display or reload a 487 resource. See Section 8 for an explanation of the difference between 488 caches and history mechanisms. 490 4.1.1. Calculating Freshness Lifetime 492 A cache can calculate the freshness lifetime (denoted as 493 freshness_lifetime) of a response by using the first match of: 495 o If the cache is shared and the s-maxage response cache directive 496 (Section 7.2.2.8) is present, use its value, or 498 o If the max-age response cache directive (Section 7.2.2.7) is 499 present, use its value, or 501 o If the Expires response header field (Section 7.3) is present, use 502 its value minus the value of the Date response header field, or 504 o Otherwise, no explicit expiration time is present in the response. 505 A heuristic freshness lifetime might be applicable; see 506 Section 4.1.2. 508 Note that this calculation is not vulnerable to clock skew, since all 509 of the information comes from the origin server. 511 When there is more than one value present for a given directive 512 (e.g., two Expires header fields, multiple Cache-Control: max-age 513 directives), it is considered invalid. Caches are encouraged to 514 consider responses that have invalid freshness information to be 515 stale. 517 4.1.2. Calculating Heuristic Freshness 519 Since origin servers do not always provide explicit expiration times, 520 a cache MAY assign a heuristic expiration time when an explicit time 521 is not specified, employing algorithms that use other header field 522 values (such as the Last-Modified time) to estimate a plausible 523 expiration time. This specification does not provide specific 524 algorithms, but does impose worst-case constraints on their results. 526 A cache MUST NOT use heuristics to determine freshness when an 527 explicit expiration time is present in the stored response. Because 528 of the requirements in Section 3, this means that, effectively, 529 heuristics can only be used on responses without explicit freshness 530 whose status codes are defined as cacheable, and responses without 531 explicit freshness that have been marked as explicitly cacheable 532 (e.g., with a "public" response cache directive). 534 If the response has a Last-Modified header field (Section 2.2 of 535 [Part4]), caches are encouraged to use a heuristic expiration value 536 that is no more than some fraction of the interval since that time. 537 A typical setting of this fraction might be 10%. 539 When a heuristic is used to calculate freshness lifetime, a cache 540 SHOULD attach a Warning header field with a 113 warn-code to the 541 response if its current_age is more than 24 hours and such a warning 542 is not already present. 544 Note: Section 13.9 of [RFC2616] prohibited caches from calculating 545 heuristic freshness for URIs with query components (i.e., those 546 containing '?'). In practice, this has not been widely 547 implemented. Therefore, servers are encouraged to send explicit 548 directives (e.g., Cache-Control: no-cache) if they wish to 549 preclude caching. 551 4.1.3. Calculating Age 553 The Age header field is used to convey an estimated age of the 554 response message when obtained from a cache. The Age field value is 555 the cache's estimate of the number of seconds since the response was 556 generated or validated by the origin server. In essence, the Age 557 value is the sum of the time that the response has been resident in 558 each of the caches along the path from the origin server, plus the 559 amount of time it has been in transit along network paths. 561 The following data is used for the age calculation: 563 age_value 565 The term "age_value" denotes the value of the Age header field 566 (Section 7.1), in a form appropriate for arithmetic operation; or 567 0, if not available. 569 date_value 571 The term "date_value" denotes the value of the Date header field, 572 in a form appropriate for arithmetic operations. See Section 573 7.1.1.2 of [Part2] for the definition of the Date header field, 574 and for requirements regarding responses without it. 576 now 578 The term "now" means "the current value of the clock at the host 579 performing the calculation". A host ought to use NTP ([RFC1305]) 580 or some similar protocol to synchronize its clocks to Coordinated 581 Universal Time. 583 request_time 585 The current value of the clock at the host at the time the request 586 resulting in the stored response was made. 588 response_time 590 The current value of the clock at the host at the time the 591 response was received. 593 A response's age can be calculated in two entirely independent ways: 595 1. the "apparent_age": response_time minus date_value, if the local 596 clock is reasonably well synchronized to the origin server's 597 clock. If the result is negative, the result is replaced by 598 zero. 600 2. the "corrected_age_value", if all of the caches along the 601 response path implement HTTP/1.1. A cache MUST interpret this 602 value relative to the time the request was initiated, not the 603 time that the response was received. 605 apparent_age = max(0, response_time - date_value); 607 response_delay = response_time - request_time; 608 corrected_age_value = age_value + response_delay; 610 These SHOULD be combined as 612 corrected_initial_age = max(apparent_age, corrected_age_value); 614 unless the cache is confident in the value of the Age header field 615 (e.g., because there are no HTTP/1.0 hops in the Via header field), 616 in which case the corrected_age_value MAY be used as the 617 corrected_initial_age. 619 The current_age of a stored response can then be calculated by adding 620 the amount of time (in seconds) since the stored response was last 621 validated by the origin server to the corrected_initial_age. 623 resident_time = now - response_time; 624 current_age = corrected_initial_age + resident_time; 626 Additionally, to avoid common problems in date parsing: 628 o Although all date formats are specified to be case-sensitive, 629 cache recipients SHOULD match day, week and timezone names case- 630 insensitively. 632 o If a cache recipient's internal implementation of time has less 633 resolution than the value of an HTTP-date, the recipient MUST 634 internally represent a parsed Expires date as the nearest time 635 equal to or earlier than the received value. 637 o Cache recipients MUST NOT allow local time zones to influence the 638 calculation or comparison of an age or expiration time. 640 o Cache recipients SHOULD consider a date with a zone abbreviation 641 other than "GMT" to be invalid for calculating expiration. 643 4.1.4. Serving Stale Responses 645 A "stale" response is one that either has explicit expiry information 646 or is allowed to have heuristic expiry calculated, but is not fresh 647 according to the calculations in Section 4.1. 649 A cache MUST NOT send a stale response if it is prohibited by an 650 explicit in-protocol directive (e.g., by a "no-store" or "no-cache" 651 cache directive, a "must-revalidate" cache-response-directive, or an 652 applicable "s-maxage" or "proxy-revalidate" cache-response-directive; 653 see Section 7.2.2). 655 A cache MUST NOT send stale responses unless it is disconnected 656 (i.e., it cannot contact the origin server or otherwise find a 657 forward path) or doing so is explicitly allowed (e.g., by the max- 658 stale request directive; see Section 7.2.1). 660 A cache SHOULD append a Warning header field with the 110 warn-code 661 (see Section 7.5) to stale responses. Likewise, a cache SHOULD add 662 the 112 warn-code to stale responses if the cache is disconnected. 664 If a cache receives a first-hand response (either an entire response, 665 or a 304 (Not Modified) response) that it would normally forward to 666 the requesting client, and the received response is no longer fresh, 667 the cache can forward it to the requesting client without adding a 668 new Warning (but without removing any existing Warning header 669 fields). A cache shouldn't attempt to validate a response simply 670 because that response became stale in transit. 672 4.2. Validation Model 674 When a cache has one or more stored responses for a requested URI, 675 but cannot serve any of them (e.g., because they are not fresh, or 676 one cannot be selected; see Section 4.3), it can use the conditional 677 request mechanism [Part4] in the forwarded request to give the origin 678 server an opportunity to both select a valid stored response to be 679 used, and to update it. This process is known as "validating" or 680 "revalidating" the stored response. 682 When sending such a conditional request, a cache adds an If-Modified- 683 Since header field whose value is that of the Last-Modified header 684 field from the selected (see Section 4.3) stored response, if 685 available. 687 Additionally, a cache can add an If-None-Match header field whose 688 value is that of the ETag header field(s) from all responses stored 689 for the requested URI, if present. However, if any of the stored 690 responses contains only partial content, the cache shouldn't include 691 its entity-tag in the If-None-Match header field unless the request 692 is for a range that would be fully satisfied by that stored response. 694 Cache handling of a response to a conditional request is dependent 695 upon its status code: 697 o A 304 (Not Modified) response status code indicates that the 698 stored response can be updated and reused; see Section 4.2.1. 700 o A full response (i.e., one with a payload body) indicates that 701 none of the stored responses nominated in the conditional request 702 is suitable. Instead, the cache can use the full response to 703 satisfy the request and MAY replace the stored response(s). 705 o However, if a cache receives a 5xx (Server Error) response while 706 attempting to validate a response, it can either forward this 707 response to the requesting client, or act as if the server failed 708 to respond. In the latter case, it can send a previously stored 709 response (see Section 4.1.4). 711 4.2.1. Freshening Responses with 304 Not Modified 713 When a cache receives a 304 (Not Modified) response and already has 714 one or more stored 200 (OK) responses for the same cache key, the 715 cache needs to identify which of the stored responses are updated by 716 this new response and then update the stored response(s) with the new 717 information provided in the 304 response. 719 The stored response to update is identified by using the first match 720 (if any) of: 722 o If the new response contains a strong validator, then that strong 723 validator identifies the selected representation. All of the 724 stored responses with the same strong validator are selected. If 725 none of the stored responses contain the same strong validator, 726 then the new response MUST NOT be used to update any stored 727 responses. 729 o If the new response contains a weak validator and that validator 730 corresponds to one of the cache's stored responses, then the most 731 recent of those matching stored responses is selected. 733 o If the new response does not include any form of validator (such 734 as in the case where a client generates an If-Modified-Since 735 request from a source other than the Last-Modified response header 736 field), and there is only one stored response, and that stored 737 response also lacks a validator, then that stored response is 738 selected. 740 If a stored response is selected for update, the cache MUST: 742 o delete any Warning header fields in the stored response with warn- 743 code 1xx (see Section 7.5); 745 o retain any Warning header fields in the stored response with warn- 746 code 2xx; and, 748 o use other header fields provided in the 304 (Not Modified) 749 response to replace all instances of the corresponding header 750 fields in the stored response. 752 4.3. Using Negotiated Responses 754 When a cache receives a request that can be satisfied by a stored 755 response that has a Vary header field (Section 7.1.4 of [Part2]), it 756 MUST NOT use that response unless all of the selecting header fields 757 nominated by the Vary header field match in both the original request 758 (i.e., that associated with the stored response), and the presented 759 request. 761 The selecting header fields from two requests are defined to match if 762 and only if those in the first request can be transformed to those in 763 the second request by applying any of the following: 765 o adding or removing whitespace, where allowed in the header field's 766 syntax 768 o combining multiple header fields with the same field name (see 769 Section 3.2 of [Part1]) 771 o normalizing both header field values in a way that is known to 772 have identical semantics, according to the header field's 773 specification (e.g., re-ordering field values when order is not 774 significant; case-normalization, where values are defined to be 775 case-insensitive) 777 If (after any normalization that might take place) a header field is 778 absent from a request, it can only match another request if it is 779 also absent there. 781 A Vary header field-value of "*" always fails to match, and 782 subsequent requests to that resource can only be properly interpreted 783 by the origin server. 785 The stored response with matching selecting header fields is known as 786 the selected response. 788 If multiple selected responses are available, the most recent 789 response (as determined by the Date header field) is used; see 790 Section 4. 792 If no selected response is available, the cache cannot satisfy the 793 presented request. Typically, it is forwarded to the origin server 794 in a (possibly conditional; see Section 4.2) request. 796 4.4. Combining Partial Content 798 A response might transfer only a partial representation if the 799 connection closed prematurely or if the request used one or more 800 Range specifiers ([Part5]). After several such transfers, a cache 801 might have received several ranges of the same representation. A 802 cache MAY combine these ranges into a single stored response, and 803 reuse that response to satisfy later requests, if they all share the 804 same strong validator and the cache complies with the client 805 requirements in Section 4.3 of [Part5]. 807 When combining the new response with one or more stored responses, a 808 cache MUST: 810 o delete any Warning header fields in the stored response with warn- 811 code 1xx (see Section 7.5); 813 o retain any Warning header fields in the stored response with warn- 814 code 2xx; and, 816 o use other header fields provided in the new response, aside from 817 Content-Range, to replace all instances of the corresponding 818 header fields in the stored response. 820 5. Updating Caches with HEAD Responses 822 A response to the HEAD method is identical to what an equivalent 823 request made with a GET would have been, except it lacks a body. 824 This property of HEAD responses is used to both invalidate and update 825 cached GET responses. 827 If one or more stored GET responses can be selected (as per 828 Section 4.3) for a HEAD request, and the Content-Length, ETag or 829 Last-Modified value of a HEAD response differs from that in a 830 selected GET response, the cache MUST consider that selected response 831 to be stale. 833 If the Content-Length, ETag and Last-Modified values of a HEAD 834 response (when present) are the same as that in a selected GET 835 response (as per Section 4.3), the cache SHOULD update the remaining 836 header fields in the stored response using the following rules: 838 o delete any Warning header fields in the stored response with warn- 839 code 1xx (see Section 7.5); 841 o retain any Warning header fields in the stored response with warn- 842 code 2xx; and, 844 o use other header fields provided in the response to replace all 845 instances of the corresponding header fields in the stored 846 response. 848 6. Request Methods that Invalidate 850 Because unsafe request methods (Section 4.2.1 of [Part2]) such as 851 PUT, POST or DELETE have the potential for changing state on the 852 origin server, intervening caches can use them to keep their contents 853 up-to-date. 855 A cache MUST invalidate the effective Request URI (Section 5.5 of 856 [Part1]) as well as the URI(s) in the Location and Content-Location 857 response header fields (if present) when a non-error response to a 858 request with an unsafe method is received. 860 However, a cache MUST NOT invalidate a URI from a Location or 861 Content-Location response header field if the host part of that URI 862 differs from the host part in the effective request URI (Section 5.5 863 of [Part1]). This helps prevent denial of service attacks. 865 A cache MUST invalidate the effective request URI (Section 5.5 of 866 [Part1]) when it receives a non-error response to a request with a 867 method whose safety is unknown. 869 Here, a "non-error response" is one with a 2xx (Successful) or 3xx 870 (Redirection) status code. "Invalidate" means that the cache will 871 either remove all stored responses related to the effective request 872 URI, or will mark these as "invalid" and in need of a mandatory 873 validation before they can be sent in response to a subsequent 874 request. 876 Note that this does not guarantee that all appropriate responses are 877 invalidated. For example, the request that caused the change at the 878 origin server might not have gone through the cache where a response 879 is stored. 881 7. Header Field Definitions 883 This section defines the syntax and semantics of HTTP/1.1 header 884 fields related to caching. 886 7.1. Age 888 The "Age" header field conveys the sender's estimate of the amount of 889 time since the response was generated or successfully validated at 890 the origin server. Age values are calculated as specified in 891 Section 4.1.3. 893 Age = delta-seconds 895 Age field-values are non-negative integers, representing time in 896 seconds (see Section 1.4.1). 898 The presence of an Age header field in a response implies that a 899 response is not first-hand. However, the converse is not true, since 900 HTTP/1.0 caches might not implement the Age header field. 902 7.2. Cache-Control 904 The "Cache-Control" header field is used to specify directives for 905 caches along the request/response chain. Such cache directives are 906 unidirectional in that the presence of a directive in a request does 907 not imply that the same directive is to be given in the response. 909 A cache MUST obey the requirements of the Cache-Control directives 910 defined in this section. See Section 7.2.3 for information about how 911 Cache-Control directives defined elsewhere are handled. 913 Note: HTTP/1.0 caches might not implement Cache-Control and might 914 only implement Pragma: no-cache (see Section 7.4). 916 A proxy, whether or not it implements a cache, MUST pass cache 917 directives through in forwarded messages, regardless of their 918 significance to that application, since the directives might be 919 applicable to all recipients along the request/response chain. It is 920 not possible to target a directive to a specific cache. 922 Cache directives are identified by a token, to be compared case- 923 insensitively, and have an optional argument, that can use both token 924 and quoted-string syntax. For the directives defined below that 925 define arguments, recipients ought to accept both forms, even if one 926 is documented to be preferred. For any directive not defined by this 927 specification, recipients MUST accept both forms. 929 Cache-Control = 1#cache-directive 931 cache-directive = token [ "=" ( token / quoted-string ) ] 933 For the cache directives defined below, no argument is defined (nor 934 allowed) otherwise stated otherwise. 936 7.2.1. Request Cache-Control Directives 938 7.2.1.1. no-cache 940 The "no-cache" request directive indicates that a cache MUST NOT use 941 a stored response to satisfy the request without successful 942 validation on the origin server. 944 7.2.1.2. no-store 946 The "no-store" request directive indicates that a cache MUST NOT 947 store any part of either this request or any response to it. This 948 directive applies to both private and shared caches. "MUST NOT 949 store" in this context means that the cache MUST NOT intentionally 950 store the information in non-volatile storage, and MUST make a best- 951 effort attempt to remove the information from volatile storage as 952 promptly as possible after forwarding it. 954 This directive is NOT a reliable or sufficient mechanism for ensuring 955 privacy. In particular, malicious or compromised caches might not 956 recognize or obey this directive, and communications networks might 957 be vulnerable to eavesdropping. 959 Note that if a request containing this directive is satisfied from a 960 cache, the no-store request directive does not apply to the already 961 stored response. 963 7.2.1.3. max-age 965 Argument syntax: 967 delta-seconds (see Section 1.4.1) 969 The "max-age" request directive indicates that the client is 970 unwilling to accept a response whose age is greater than the 971 specified number of seconds. Unless the max-stale request directive 972 is also present, the client is not willing to accept a stale 973 response. 975 Note: This directive uses the token form of the argument syntax; 976 e.g., 'max-age=5', not 'max-age="5"'. Senders SHOULD NOT use the 977 quoted-string form. 979 7.2.1.4. max-stale 981 Argument syntax: 983 delta-seconds (see Section 1.4.1) 985 The "max-stale" request directive indicates that the client is 986 willing to accept a response that has exceeded its expiration time. 987 If max-stale is assigned a value, then the client is willing to 988 accept a response that has exceeded its expiration time by no more 989 than the specified number of seconds. If no value is assigned to 990 max-stale, then the client is willing to accept a stale response of 991 any age. 993 Note: This directive uses the token form of the argument syntax; 994 e.g., 'max-stale=10', not 'max-stale="10"'. Senders SHOULD NOT use 995 the quoted-string form. 997 7.2.1.5. min-fresh 999 Argument syntax: 1001 delta-seconds (see Section 1.4.1) 1003 The "min-fresh" request directive indicates that the client is 1004 willing to accept a response whose freshness lifetime is no less than 1005 its current age plus the specified time in seconds. That is, the 1006 client wants a response that will still be fresh for at least the 1007 specified number of seconds. 1009 Note: This directive uses the token form of the argument syntax; 1010 e.g., 'min-fresh=20', not 'min-fresh="20"'. Senders SHOULD NOT use 1011 the quoted-string form. 1013 7.2.1.6. no-transform 1015 The "no-transform" request directive indicates that an intermediary 1016 (whether or not it implements a cache) MUST NOT transform the 1017 payload, as defined in Section 5.7.2 of [Part1]. 1019 7.2.1.7. only-if-cached 1021 The "only-if-cached" request directive indicates that the client only 1022 wishes to obtain a stored response. If it receives this directive, a 1023 cache SHOULD either respond using a stored response that is 1024 consistent with the other constraints of the request, or respond with 1025 a 504 (Gateway Timeout) status code. If a group of caches is being 1026 operated as a unified system with good internal connectivity, a 1027 member cache MAY forward such a request within that group of caches. 1029 7.2.2. Response Cache-Control Directives 1031 7.2.2.1. public 1033 The "public" response directive indicates that any cache MAY store 1034 the response, even if the response would normally be non-cacheable or 1035 cacheable only within a non-shared cache. (See Section 3.2 for 1036 additional details related to the use of public in response to a 1037 request containing Authorization, and Section 3 for details of how 1038 public affects responses that would normally not be stored, due to 1039 their status codes not being defined as cacheable.) 1041 7.2.2.2. private 1043 Argument syntax: 1045 #field-name 1047 The "private" response directive indicates that the response message 1048 is intended for a single user and MUST NOT be stored by a shared 1049 cache. A private cache MAY store the response and reuse it for later 1050 requests, even if the response would normally be non-cacheable. 1052 If the private response directive specifies one or more field-names, 1053 this requirement is limited to the field-values associated with the 1054 listed response header fields. That is, a shared cache MUST NOT 1055 store the specified field-names(s), whereas it MAY store the 1056 remainder of the response message. 1058 The field-names given are not limited to the set of standard header 1059 fields defined by this specification. Field names are case- 1060 insensitive. 1062 Note: This usage of the word "private" only controls where the 1063 response can be stored; it cannot ensure the privacy of the message 1064 content. Also, private response directives with field-names are 1065 often handled by implementations as if an unqualified private 1066 directive was received; i.e., the special handling for the qualified 1067 form is not widely implemented. 1069 Note: This directive uses the quoted-string form of the argument 1070 syntax. Senders SHOULD NOT use the token form (even if quoting 1071 appears not to be needed for single-entry lists). 1073 7.2.2.3. no-cache 1075 Argument syntax: 1077 #field-name 1079 The "no-cache" response directive indicates that the response MUST 1080 NOT be used to satisfy a subsequent request without successful 1081 validation on the origin server. This allows an origin server to 1082 prevent a cache from using it to satisfy a request without contacting 1083 it, even by caches that have been configured to send stale responses. 1085 If the no-cache response directive specifies one or more field-names, 1086 then a cache MAY use the response to satisfy a subsequent request, 1087 subject to any other restrictions on caching. However, any header 1088 fields in the response that have the field-name(s) listed MUST NOT be 1089 sent in the response to a subsequent request without successful 1090 revalidation with the origin server. This allows an origin server to 1091 prevent the re-use of certain header fields in a response, while 1092 still allowing caching of the rest of the response. 1094 The field-names given are not limited to the set of standard header 1095 fields defined by this specification. Field names are case- 1096 insensitive. 1098 Note: Many HTTP/1.0 caches will not recognize or obey this directive. 1099 Also, no-cache response directives with field-names are often handled 1100 by implementations as if an unqualified no-cache directive was 1101 received; i.e., the special handling for the qualified form is not 1102 widely implemented. 1104 Note: This directive uses the quoted-string form of the argument 1105 syntax. Senders SHOULD NOT use the token form (even if quoting 1106 appears not to be needed for single-entry lists). 1108 7.2.2.4. no-store 1110 The "no-store" response directive indicates that a cache MUST NOT 1111 store any part of either the immediate request or response. This 1112 directive applies to both private and shared caches. "MUST NOT 1113 store" in this context means that the cache MUST NOT intentionally 1114 store the information in non-volatile storage, and MUST make a best- 1115 effort attempt to remove the information from volatile storage as 1116 promptly as possible after forwarding it. 1118 This directive is NOT a reliable or sufficient mechanism for ensuring 1119 privacy. In particular, malicious or compromised caches might not 1120 recognize or obey this directive, and communications networks might 1121 be vulnerable to eavesdropping. 1123 7.2.2.5. must-revalidate 1125 The "must-revalidate" response directive indicates that once it has 1126 become stale, a cache MUST NOT use the response to satisfy subsequent 1127 requests without successful validation on the origin server. 1129 The must-revalidate directive is necessary to support reliable 1130 operation for certain protocol features. In all circumstances a 1131 cache MUST obey the must-revalidate directive; in particular, if a 1132 cache cannot reach the origin server for any reason, it MUST generate 1133 a 504 (Gateway Timeout) response. 1135 The must-revalidate directive ought to be used by servers if and only 1136 if failure to validate a request on the representation could result 1137 in incorrect operation, such as a silently unexecuted financial 1138 transaction. 1140 7.2.2.6. proxy-revalidate 1142 The "proxy-revalidate" response directive has the same meaning as the 1143 must-revalidate response directive, except that it does not apply to 1144 private caches. 1146 7.2.2.7. max-age 1148 Argument syntax: 1150 delta-seconds (see Section 1.4.1) 1152 The "max-age" response directive indicates that the response is to be 1153 considered stale after its age is greater than the specified number 1154 of seconds. 1156 Note: This directive uses the token form of the argument syntax; 1157 e.g., 'max-age=5', not 'max-age="5"'. Senders SHOULD NOT use the 1158 quoted-string form. 1160 7.2.2.8. s-maxage 1162 Argument syntax: 1164 delta-seconds (see Section 1.4.1) 1166 The "s-maxage" response directive indicates that, in shared caches, 1167 the maximum age specified by this directive overrides the maximum age 1168 specified by either the max-age directive or the Expires header 1169 field. The s-maxage directive also implies the semantics of the 1170 proxy-revalidate response directive. 1172 Note: This directive uses the token form of the argument syntax; 1173 e.g., 's-maxage=10', not 's-maxage="10"'. Senders SHOULD NOT use the 1174 quoted-string form. 1176 7.2.2.9. no-transform 1178 The "no-transform" response directive indicates that an intermediary 1179 (regardless of whether it implements a cache) MUST NOT transform the 1180 payload, as defined in Section 5.7.2 of [Part1]. 1182 7.2.3. Cache Control Extensions 1184 The Cache-Control header field can be extended through the use of one 1185 or more cache-extension tokens, each with an optional value. 1186 Informational extensions (those that do not require a change in cache 1187 behavior) can be added without changing the semantics of other 1188 directives. Behavioral extensions are designed to work by acting as 1189 modifiers to the existing base of cache directives. Both the new 1190 directive and the standard directive are supplied, such that 1191 applications that do not understand the new directive will default to 1192 the behavior specified by the standard directive, and those that 1193 understand the new directive will recognize it as modifying the 1194 requirements associated with the standard directive. In this way, 1195 extensions to the cache-control directives can be made without 1196 requiring changes to the base protocol. 1198 This extension mechanism depends on an HTTP cache obeying all of the 1199 cache-control directives defined for its native HTTP-version, obeying 1200 certain extensions, and ignoring all directives that it does not 1201 understand. 1203 For example, consider a hypothetical new response directive called 1204 "community" that acts as a modifier to the private directive. We 1205 define this new directive to mean that, in addition to any private 1206 cache, any cache that is shared only by members of the community 1207 named within its value is allowed to cache the response. An origin 1208 server wishing to allow the UCI community to use an otherwise private 1209 response in their shared cache(s) could do so by including 1211 Cache-Control: private, community="UCI" 1213 A cache seeing this header field will act correctly even if the cache 1214 does not understand the community cache-extension, since it will also 1215 see and understand the private directive and thus default to the safe 1216 behavior. 1218 A cache MUST ignore unrecognized cache directives; it is assumed that 1219 any cache directive likely to be unrecognized by an HTTP/1.1 cache 1220 will be combined with standard directives (or the response's default 1221 cacheability) such that the cache behavior will remain minimally 1222 correct even if the cache does not understand the extension(s). 1224 New extension directives ought to consider defining: 1226 o What it means for a directive to be specified multiple times, 1228 o When the directive does not take an argument, what it means when 1229 an argument is present, 1231 o When the directive requires an argument, what it means when it is 1232 missing. 1234 The HTTP Cache Directive Registry defines the name space for the 1235 cache directives. 1237 A registration MUST include the following fields: 1239 o Cache Directive Name 1241 o Pointer to specification text 1243 Values to be added to this name space require IETF Review (see 1244 [RFC5226], Section 4.1). 1246 The registry itself is maintained at 1247 . 1249 7.3. Expires 1251 The "Expires" header field gives the date/time after which the 1252 response is considered stale. See Section 4.1 for further discussion 1253 of the freshness model. 1255 The presence of an Expires field does not imply that the original 1256 resource will change or cease to exist at, before, or after that 1257 time. 1259 The Expires value is an HTTP-date timestamp, as defined in Section 1260 7.1.1.1 of [Part2]. 1262 Expires = HTTP-date 1264 For example 1266 Expires: Thu, 01 Dec 1994 16:00:00 GMT 1268 A cache recipient MUST interpret invalid date formats, especially the 1269 value "0", as representing a time in the past (i.e., "already 1270 expired"). 1272 If a response includes a Cache-Control field with the max-age 1273 directive (Section 7.2.2.7), a recipient MUST ignore the Expires 1274 field. Likewise, if a response includes the s-maxage directive 1275 (Section 7.2.2.8), a shared cache recipient MUST ignore the Expires 1276 field. In both these cases, the value in Expires is only intended 1277 for recipients that have not yet implemented the Cache-Control field. 1279 An origin server without a clock MUST NOT generate an Expires field 1280 unless its value represents a fixed time in the past (always expired) 1281 or its value has been associated with the resource by a system or 1282 user with a reliable clock. 1284 Historically, HTTP required the Expires field-value to be no more 1285 than a year in the future. While longer freshness lifetimes are no 1286 longer prohibited, extremely large values have been demonstrated to 1287 cause problems (e.g., clock overflows due to use of 32-bit integers 1288 for time values), and many caches will evict a response far sooner 1289 than that. 1291 7.4. Pragma 1293 The "Pragma" header field allows backwards compatibility with 1294 HTTP/1.0 caches, so that clients can specify a "no-cache" request 1295 that they will understand (as Cache-Control was not defined until 1296 HTTP/1.1). When the Cache-Control header field is also present and 1297 understood in a request, Pragma is ignored. 1299 In HTTP/1.0, Pragma was defined as an extensible field for 1300 implementation-specified directives for recipients. This 1301 specification deprecates such extensions to improve interoperability. 1303 Pragma = 1#pragma-directive 1304 pragma-directive = "no-cache" / extension-pragma 1305 extension-pragma = token [ "=" ( token / quoted-string ) ] 1307 When the Cache-Control header field is not present in a request, the 1308 no-cache request pragma-directive MUST have the same effect on caches 1309 as if "Cache-Control: no-cache" were present (see Section 7.2.1). 1311 When sending a no-cache request, a client ought to include both the 1312 pragma and cache-control directives, unless Cache-Control: no-cache 1313 is purposefully omitted to target other Cache-Control response 1314 directives at HTTP/1.1 caches. For example: 1316 GET / HTTP/1.1 1317 Host: www.example.com 1318 Cache-Control: max-age=30 1319 Pragma: no-cache 1321 will constrain HTTP/1.1 caches to serve a response no older than 30 1322 seconds, while precluding implementations that do not understand 1323 Cache-Control from serving a cached response. 1325 Note: Because the meaning of "Pragma: no-cache" in responses is 1326 not specified, it does not provide a reliable replacement for 1327 "Cache-Control: no-cache" in them. 1329 7.5. Warning 1331 The "Warning" header field is used to carry additional information 1332 about the status or transformation of a message that might not be 1333 reflected in the message. This information is typically used to warn 1334 about possible incorrectness introduced by caching operations or 1335 transformations applied to the payload of the message. 1337 Warnings can be used for other purposes, both cache-related and 1338 otherwise. The use of a warning, rather than an error status code, 1339 distinguishes these responses from true failures. 1341 Warning header fields can in general be applied to any message, 1342 however some warn-codes are specific to caches and can only be 1343 applied to response messages. 1345 Warning = 1#warning-value 1347 warning-value = warn-code SP warn-agent SP warn-text 1348 [SP warn-date] 1350 warn-code = 3DIGIT 1351 warn-agent = ( uri-host [ ":" port ] ) / pseudonym 1352 ; the name or pseudonym of the server adding 1353 ; the Warning header field, for use in debugging 1354 warn-text = quoted-string 1355 warn-date = DQUOTE HTTP-date DQUOTE 1357 Multiple warnings can be attached to a response (either by the origin 1358 server or by a cache), including multiple warnings with the same code 1359 number, only differing in warn-text. 1361 When this occurs, the user agent SHOULD inform the user of as many of 1362 them as possible, in the order that they appear in the response. 1364 Systems that generate multiple Warning header fields are encouraged 1365 to order them with this user agent behavior in mind. New Warning 1366 header fields are added after any existing Warning header fields. 1368 Warnings are assigned three digit warn-codes. The first digit 1369 indicates whether the Warning is required to be deleted from a stored 1370 response after validation: 1372 o 1xx Warnings describe the freshness or validation status of the 1373 response, and so MUST be deleted by a cache after validation. 1374 They can only be generated by a cache when validating a cached 1375 entry, and MUST NOT be generated in any other situation. 1377 o 2xx Warnings describe some aspect of the representation that is 1378 not rectified by a validation (for example, a lossy compression of 1379 the representation) and MUST NOT be deleted by a cache after 1380 validation, unless a full response is sent, in which case they 1381 MUST be. 1383 If an implementation sends a message with one or more Warning header 1384 fields to a receiver whose version is HTTP/1.0 or lower, then the 1385 sender MUST include in each warning-value a warn-date that matches 1386 the Date header field in the message. 1388 If a system receives a message with a warning-value that includes a 1389 warn-date, and that warn-date is different from the Date value in the 1390 response, then that warning-value MUST be deleted from the message 1391 before storing, forwarding, or using it. (preventing the consequences 1392 of naive caching of Warning header fields.) If all of the warning- 1393 values are deleted for this reason, the Warning header field MUST be 1394 deleted as well. 1396 The following warn-codes are defined by this specification, each with 1397 a recommended warn-text in English, and a description of its meaning. 1399 7.5.1. 110 Response is Stale 1401 A cache SHOULD generate this whenever the sent response is stale. 1403 7.5.2. 111 Revalidation Failed 1405 A cache SHOULD generate this when sending a stale response because an 1406 attempt to validate the response failed, due to an inability to reach 1407 the server. 1409 7.5.3. 112 Disconnected Operation 1411 A cache SHOULD generate this if it is intentionally disconnected from 1412 the rest of the network for a period of time. 1414 7.5.4. 113 Heuristic Expiration 1416 A cache SHOULD generate this if it heuristically chose a freshness 1417 lifetime greater than 24 hours and the response's age is greater than 1418 24 hours. 1420 7.5.5. 199 Miscellaneous Warning 1422 The warning text can include arbitrary information to be presented to 1423 a human user, or logged. A system receiving this warning MUST NOT 1424 take any automated action, besides presenting the warning to the 1425 user. 1427 7.5.6. 214 Transformation Applied 1429 MUST be added by a proxy if it applies any transformation to the 1430 representation, such as changing the content-coding, media-type, or 1431 modifying the representation data, unless this Warning code already 1432 appears in the response. 1434 7.5.7. 299 Miscellaneous Persistent Warning 1436 The warning text can include arbitrary information to be presented to 1437 a human user, or logged. A system receiving this warning MUST NOT 1438 take any automated action. 1440 7.5.8. Warn Code Extensions 1442 The HTTP Warn Code Registry defines the name space for warn codes. 1444 A registration MUST include the following fields: 1446 o Warn Code (3 digits) 1448 o Short Description 1450 o Pointer to specification text 1452 Values to be added to this name space require IETF Review (see 1453 [RFC5226], Section 4.1). 1455 The registry itself is maintained at 1456 . 1458 8. History Lists 1460 User agents often have history mechanisms, such as "Back" buttons and 1461 history lists, that can be used to redisplay a representation 1462 retrieved earlier in a session. 1464 The freshness model (Section 4.1) does not necessarily apply to 1465 history mechanisms. I.e., a history mechanism can display a previous 1466 representation even if it has expired. 1468 This does not prohibit the history mechanism from telling the user 1469 that a view might be stale, or from honoring cache directives (e.g., 1470 Cache-Control: no-store). 1472 9. IANA Considerations 1474 9.1. Cache Directive Registry 1476 The registration procedure for HTTP Cache Directives is defined by 1477 Section 7.2.3 of this document. 1479 The HTTP Cache Directive Registry shall be created at 1480 and be 1481 populated with the registrations below: 1483 +------------------------+----------------------------------+ 1484 | Cache Directive | Reference | 1485 +------------------------+----------------------------------+ 1486 | max-age | Section 7.2.1.3, Section 7.2.2.7 | 1487 | max-stale | Section 7.2.1.4 | 1488 | min-fresh | Section 7.2.1.5 | 1489 | must-revalidate | Section 7.2.2.5 | 1490 | no-cache | Section 7.2.1.1, Section 7.2.2.3 | 1491 | no-store | Section 7.2.1.2, Section 7.2.2.4 | 1492 | no-transform | Section 7.2.1.6, Section 7.2.2.9 | 1493 | only-if-cached | Section 7.2.1.7 | 1494 | private | Section 7.2.2.2 | 1495 | proxy-revalidate | Section 7.2.2.6 | 1496 | public | Section 7.2.2.1 | 1497 | s-maxage | Section 7.2.2.8 | 1498 | stale-if-error | [RFC5861], Section 4 | 1499 | stale-while-revalidate | [RFC5861], Section 3 | 1500 +------------------------+----------------------------------+ 1502 9.2. Warn Code Registry 1504 The registration procedure for HTTP Warn Codes is defined by 1505 Section 7.5.8 of this document. 1507 The HTTP Warn Code Registry shall be created at 1508 and be 1509 populated with the registrations below: 1511 +-----------+----------------------------------+---------------+ 1512 | Warn Code | Short Description | Reference | 1513 +-----------+----------------------------------+---------------+ 1514 | 110 | Response is Stale | Section 7.5.1 | 1515 | 111 | Revalidation Failed | Section 7.5.2 | 1516 | 112 | Disconnected Operation | Section 7.5.3 | 1517 | 113 | Heuristic Expiration | Section 7.5.4 | 1518 | 199 | Miscellaneous Warning | Section 7.5.5 | 1519 | 214 | Transformation Applied | Section 7.5.6 | 1520 | 299 | Miscellaneous Persistent Warning | Section 7.5.7 | 1521 +-----------+----------------------------------+---------------+ 1523 9.3. Header Field Registration 1525 The Message Header Field Registry located at shall be 1527 updated with the permanent registrations below (see [BCP90]): 1529 +-------------------+----------+----------+-------------+ 1530 | Header Field Name | Protocol | Status | Reference | 1531 +-------------------+----------+----------+-------------+ 1532 | Age | http | standard | Section 7.1 | 1533 | Cache-Control | http | standard | Section 7.2 | 1534 | Expires | http | standard | Section 7.3 | 1535 | Pragma | http | standard | Section 7.4 | 1536 | Warning | http | standard | Section 7.5 | 1537 +-------------------+----------+----------+-------------+ 1539 The change controller is: "IETF (iesg@ietf.org) - Internet 1540 Engineering Task Force". 1542 10. Security Considerations 1544 This section is meant to inform developers, information providers, 1545 and users of known security concerns specific to HTTP/1.1 caching. 1546 More general security considerations are addressed in HTTP messaging 1547 [Part1] and semantics [Part2]. 1549 Caches expose additional potential vulnerabilities, since the 1550 contents of the cache represent an attractive target for malicious 1551 exploitation. Because cache contents persist after an HTTP request 1552 is complete, an attack on the cache can reveal information long after 1553 a user believes that the information has been removed from the 1554 network. Therefore, cache contents need to be protected as sensitive 1555 information. 1557 Furthermore, the very use of a cache can bring about privacy 1558 concerns. For example, if two users share a cache, and the first one 1559 browses to a site, the second may be able to detect that the other 1560 has been to that site, because the resources from it load more 1561 quickly, thanks to the cache. 1563 Implementation flaws might allow attackers to insert content into a 1564 cache ("cache poisoning"), leading to compromise of clients that 1565 trust that content. Because of their nature, these attacks are 1566 difficult to mitigate. 1568 Likewise, implementation flaws (as well as misunderstanding of cache 1569 operation) might lead to caching of sensitive information (e.g., 1570 authentication credentials) that is thought to be private, exposing 1571 it to unauthorized parties. 1573 Note that the Set-Cookie response header [RFC6265] does not inhibit 1574 caching; a cacheable response with a Set-Cookie header can be (and 1575 often is) used to satisfy subsequent requests to caches. Servers who 1576 wish to control caching of these responses are encouraged to emit 1577 appropriate Cache-Control response headers. 1579 11. Acknowledgments 1581 See Section 9 of [Part1]. 1583 12. References 1585 12.1. Normative References 1587 [Part1] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 1588 Protocol (HTTP/1.1): Message Syntax and Routing", 1589 draft-ietf-httpbis-p1-messaging-22 (work in progress), 1590 February 2013. 1592 [Part2] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 1593 Protocol (HTTP/1.1): Semantics and Content", 1594 draft-ietf-httpbis-p2-semantics-22 (work in progress), 1595 February 2013. 1597 [Part4] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 1598 Protocol (HTTP/1.1): Conditional Requests", 1599 draft-ietf-httpbis-p4-conditional-22 (work in progress), 1600 February 2013. 1602 [Part5] Fielding, R., Ed., Lafon, Y., Ed., and J. Reschke, Ed., 1603 "Hypertext Transfer Protocol (HTTP/1.1): Range Requests", 1604 draft-ietf-httpbis-p5-range-22 (work in progress), 1605 February 2013. 1607 [Part7] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 1608 Protocol (HTTP/1.1): Authentication", 1609 draft-ietf-httpbis-p7-auth-22 (work in progress), 1610 February 2013. 1612 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1613 Requirement Levels", BCP 14, RFC 2119, March 1997. 1615 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 1616 Specifications: ABNF", STD 68, RFC 5234, January 2008. 1618 12.2. Informative References 1620 [BCP90] Klyne, G., Nottingham, M., and J. Mogul, "Registration 1621 Procedures for Message Header Fields", BCP 90, RFC 3864, 1622 September 2004. 1624 [RFC1305] Mills, D., "Network Time Protocol (Version 3) 1625 Specification, Implementation", RFC 1305, March 1992. 1627 [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., 1628 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext 1629 Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. 1631 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 1632 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 1633 May 2008. 1635 [RFC5861] Nottingham, M., "HTTP Cache-Control Extensions for Stale 1636 Content", RFC 5861, April 2010. 1638 [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, 1639 April 2011. 1641 Appendix A. Changes from RFC 2616 1643 Caching-related text has been substantially rewritten for clarity. 1645 The algorithm for calculating age is now less conservative. 1646 (Section 4.1.3) 1648 Caches are now required to handle dates with timezones as if they're 1649 invalid, because it's not possible to accurately guess. 1650 (Section 4.1.3) 1652 The Content-Location response header field is no longer used to 1653 determine the appropriate response to use when validating. 1654 (Section 4.2) 1655 The algorithm for selecting a cached negotiated response to use has 1656 been clarified in several ways. In particular, it now explicitly 1657 allows header-specific canonicalization when processing selecting 1658 header fields. (Section 4.3) 1660 Requirements regarding denial of service attack avoidance when 1661 performing invalidation have been clarified. (Section 6) 1663 Cache invalidation only occurs when a successful response is 1664 received. (Section 6) 1666 The conditions under which an authenticated response can be cached 1667 have been clarified. (Section 3.2) 1669 The one-year limit on Expires header field values has been removed; 1670 instead, the reasoning for using a sensible value is given. 1671 (Section 7.3) 1673 The Pragma header field is now only defined for backwards 1674 compatibility; future pragmas are deprecated. (Section 7.4) 1676 Cache directives are explicitly defined to be case-insensitive. 1677 (Section 7.2) 1679 Handling of multiple instances of cache directives when only one is 1680 expected is now defined. (Section 7.2) 1682 The qualified forms of the private and no-cache cache directives are 1683 noted to not be widely implemented; e.g., "private=foo" is 1684 interpreted by many caches as simply "private". Additionally, the 1685 meaning of the qualified form of no-cache has been clarified. 1686 (Section 7.2.2) 1688 The "no-store" cache request directive doesn't apply to responses; 1689 i.e., a cache can satisfy a request with no-store on it, and does not 1690 invalidate it. (Section 7.2.1.2) 1692 The "no-cache" response cache directive's meaning has been clarified. 1693 (Section 7.2.2.3) 1695 New status codes can now define that caches are allowed to use 1696 heuristic freshness with them. (Section 4.1.2) 1698 Caches are now allow to calculate heuristic freshness for URLs with 1699 query components. (Section 4.1.2) 1701 Some requirements regarding production of the Warning header have 1702 been relaxed, as it is not widely implemented. (Section 7.5) 1703 The Warning header field no longer uses RFC 2047 encoding, nor allows 1704 multiple languages, as these aspects were not implemented. 1705 (Section 7.5) 1707 This specification introduces the Cache Directive and Warn Code 1708 Registries, and defines considerations for new cache directives. 1709 (Section 7.2.3 and Section 7.5.8) 1711 Appendix B. Imported ABNF 1713 The following core rules are included by reference, as defined in 1714 Appendix B.1 of [RFC5234]: ALPHA (letters), CR (carriage return), 1715 CRLF (CR LF), CTL (controls), DIGIT (decimal 0-9), DQUOTE (double 1716 quote), HEXDIG (hexadecimal 0-9/A-F/a-f), LF (line feed), OCTET (any 1717 8-bit sequence of data), SP (space), and VCHAR (any visible US-ASCII 1718 character). 1720 The rules below are defined in [Part1]: 1722 OWS = 1723 field-name = 1724 quoted-string = 1725 token = 1727 port = 1728 pseudonym = 1729 uri-host = 1731 The rules below are defined in other parts: 1733 HTTP-date = 1735 Appendix C. Collected ABNF 1737 Age = delta-seconds 1739 Cache-Control = *( "," OWS ) cache-directive *( OWS "," [ OWS 1740 cache-directive ] ) 1742 Expires = HTTP-date 1744 HTTP-date = 1746 OWS = 1748 Pragma = *( "," OWS ) pragma-directive *( OWS "," [ OWS 1749 pragma-directive ] ) 1751 Warning = *( "," OWS ) warning-value *( OWS "," [ OWS warning-value ] 1752 ) 1754 cache-directive = token [ "=" ( token / quoted-string ) ] 1756 delta-seconds = 1*DIGIT 1758 extension-pragma = token [ "=" ( token / quoted-string ) ] 1760 field-name = 1762 port = 1763 pragma-directive = "no-cache" / extension-pragma 1764 pseudonym = 1766 quoted-string = 1768 token = 1770 uri-host = 1772 warn-agent = ( uri-host [ ":" port ] ) / pseudonym 1773 warn-code = 3DIGIT 1774 warn-date = DQUOTE HTTP-date DQUOTE 1775 warn-text = quoted-string 1776 warning-value = warn-code SP warn-agent SP warn-text [ SP warn-date 1777 ] 1779 Appendix D. Change Log (to be removed by RFC Editor before publication) 1781 Changes up to the first Working Group Last Call draft are summarized 1782 in . 1785 D.1. Since draft-ietf-httpbis-p6-cache-19 1787 Closed issues: 1789 o : "untangle 1790 Cache-Control ABNF" 1792 o : "Multiple 1793 values in Cache-Control header fields" 1795 o : "Case 1796 sensitivity of header fields in CC values" 1798 o : "Spurious 1799 'MAYs'" 1801 o : "enhance 1802 considerations for new cache control directives" 1804 o : "ABNF 1805 requirements for recipients" 1807 o : "note 1808 introduction of new IANA registries as normative changes" 1810 o : "broken prose 1811 in description of 'Vary'" 1813 D.2. Since draft-ietf-httpbis-p6-cache-20 1815 Closed issues: 1817 o : "'Most 1818 Conservative'" 1820 Other changes: 1822 o Conformance criteria and considerations regarding error handling 1823 are now defined in Part 1. 1825 o Move definition of "Vary" header field into Part 2. 1827 o Add security considerations with respect to cache poisoning and 1828 the "Set-Cookie" header field. 1830 D.3. Since draft-ietf-httpbis-p6-cache-21 1832 Closed issues: 1834 o : "Allowing 1835 heuristic caching for new status codes" 1837 o : "304 without 1838 validator" 1840 o : "No-Transform" 1842 o : "Revert prior 1843 change to the meaning of the public cache response directive. 1845 Index 1847 1 1848 110 Response is Stale (warn code) 30 1849 111 Revalidation Failed (warn code) 30 1850 112 Disconnected Operation (warn code) 30 1851 113 Heuristic Expiration (warn code) 30 1852 199 Miscellaneous Warning (warn code) 31 1854 2 1855 214 Transformation Applied (warn code) 31 1856 299 Miscellaneous Persistent Warning (warn code) 31 1858 A 1859 age 5 1860 Age header field 19 1862 C 1863 cache 4 1864 cache entry 6 1865 cache key 6 1866 Cache-Control header field 20 1867 cacheable 4 1869 E 1870 Expires header field 27 1871 explicit expiration time 5 1873 F 1874 first-hand 5 1875 fresh 5 1876 freshness lifetime 5 1878 G 1879 Grammar 1880 Age 19 1881 Cache-Control 20 1882 cache-directive 20 1883 delta-seconds 6 1884 Expires 27 1885 extension-pragma 28 1886 Pragma 28 1887 pragma-directive 28 1888 warn-agent 29 1889 warn-code 29 1890 warn-date 29 1891 warn-text 29 1892 Warning 29 1893 warning-value 29 1895 H 1896 heuristic expiration time 5 1898 M 1899 max-age (cache directive) 21, 25 1900 max-stale (cache directive) 21 1901 min-fresh (cache directive) 22 1902 must-revalidate (cache directive) 24 1904 N 1905 no-cache (cache directive) 20, 23 1906 no-store (cache directive) 21, 24 1907 no-transform (cache directive) 22, 25 1909 O 1910 only-if-cached (cache directive) 22 1912 P 1913 Pragma header field 28 1914 private (cache directive) 23 1915 private cache 4 1916 proxy-revalidate (cache directive) 25 1917 public (cache directive) 22 1919 S 1920 s-maxage (cache directive) 25 1921 shared cache 4 1922 stale 5 1923 strong validator 6 1925 V 1926 validator 5 1927 strong 6 1929 W 1930 Warning header field 29 1932 Authors' Addresses 1934 Roy T. Fielding (editor) 1935 Adobe Systems Incorporated 1936 345 Park Ave 1937 San Jose, CA 95110 1938 USA 1940 EMail: fielding@gbiv.com 1941 URI: http://roy.gbiv.com/ 1943 Mark Nottingham (editor) 1944 Akamai 1946 EMail: mnot@mnot.net 1947 URI: http://www.mnot.net/ 1949 Julian F. Reschke (editor) 1950 greenbytes GmbH 1951 Hafenweg 16 1952 Muenster, NW 48155 1953 Germany 1955 EMail: julian.reschke@greenbytes.de 1956 URI: http://greenbytes.de/tech/webdav/