id,summary,reporter,owner,description,type,status,component,version,severity,resolution,keywords,cc,stage,has_patch,needs_docs,needs_tests,needs_better_patch,easy,ui_ux 28833,"""Cache-Control: private"" responses should not be cached by server",Nathan Vander Wilt,shangdahao,"If the ""Cache-Control: private"" directive is set on a response, it must not be stored in a shared cache. Django's serverside caching system is a shared cache, but stores such responses anyway. A response such as {{{ Cache-Control: private Content-Type: text/plain Here is your own special random number: 42 }}} should be cacheable only by the user's own browser [more or less], but Django currently reuses the response for subsequent requests from ''anyone''. Some workarounds might be: * use @never_cache or similar to ensure a max-age of 0 which **is** respected by the cache middleware, but also prevents the users own private cache from storing * make sure the response varies on something private to the user (i.e. `Vary: Cookie`) in which case the entry will still be stored in a shared — but now less accessible — manner",Cleanup/optimization,closed,HTTP handling,1.8,Normal,fixed,,,Accepted,1,0,0,0,0,0