Opened 4 months ago

Closed 6 weeks ago

#28833 closed Cleanup/optimization (fixed)

"Cache-Control: private" responses should not be cached by server

Reported by: Nathan Vander Wilt Owned by: shangdahao
Component: HTTP handling Version: 1.8
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


If the "Cache-Control: private" directive is set on a response, it must not be stored in a shared cache. Django's serverside caching system is a shared cache, but stores such responses anyway.

A response such as

Cache-Control: private
Content-Type: text/plain

Here is your own special random number: 42

should be cacheable only by the user's own browser [more or less], but Django currently reuses the response for subsequent requests from anyone.

Some workarounds might be:

  • use @never_cache or similar to ensure a max-age of 0 which is respected by the cache middleware, but also prevents the users own private cache from storing
  • make sure the response varies on something private to the user (i.e. Vary: Cookie) in which case the entry will still be stored in a shared — but now less accessible — manner

Change History (4)

comment:1 Changed 4 months ago by Tim Graham

Component: Core (Cache system)HTTP handling
Triage Stage: UnreviewedAccepted
Type: UncategorizedCleanup/optimization

comment:4 Changed 6 weeks ago by shangdahao

Owner: set to shangdahao
Status: newassigned

comment:5 Changed 6 weeks ago by shangdahao

Has patch: set

comment:6 Changed 6 weeks ago by Tim Graham <timograham@…>

Resolution: fixed
Status: assignedclosed

In d968788b:

Fixed #28833 -- Prevented CacheMiddleware from caching responses with "Cache-Control: private".

Note: See TracTickets for help on using tickets.
Back to Top