Opened 3 weeks ago

Last modified 3 weeks ago

#28833 assigned Cleanup/optimization

"Cache-Control: private" responses should not be cached by server

Reported by: Nathan Vander Wilt Owned by: Srinivas Reddy Thatiparthy
Component: HTTP handling Version: 1.8
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


If the "Cache-Control: private" directive is set on a response, it must not be stored in a shared cache. Django's serverside caching system is a shared cache, but stores such responses anyway.

A response such as

Cache-Control: private
Content-Type: text/plain

Here is your own special random number: 42

should be cacheable only by the user's own browser [more or less], but Django currently reuses the response for subsequent requests from anyone.

Some workarounds might be:

  • use @never_cache or similar to ensure a max-age of 0 which is respected by the cache middleware, but also prevents the users own private cache from storing
  • make sure the response varies on something private to the user (i.e. Vary: Cookie) in which case the entry will still be stored in a shared — but now less accessible — manner

Change History (2)

comment:1 Changed 3 weeks ago by Tim Graham

Component: Core (Cache system)HTTP handling
Triage Stage: UnreviewedAccepted
Type: UncategorizedCleanup/optimization

comment:2 Changed 3 weeks ago by Srinivas Reddy Thatiparthy

Owner: changed from nobody to Srinivas Reddy Thatiparthy
Status: newassigned
Note: See TracTickets for help on using tickets.
Back to Top