id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
28833	"""Cache-Control: private"" responses should not be cached by server"	Nathan Vander Wilt	shangdahao	"If the ""Cache-Control: private"" directive is set on a response, it must not be stored in a shared cache. Django's serverside caching system is a shared cache, but stores such responses anyway.

A response such as

{{{
Cache-Control: private
Content-Type: text/plain

Here is your own special random number: 42
}}}

should be cacheable only by the user's own browser [more or less], but Django currently reuses the response for subsequent requests from ''anyone''.


Some workarounds might be:

* use @never_cache or similar to ensure a max-age of 0 which **is** respected by the cache middleware, but also prevents the users own private cache from storing
* make sure the response varies on something private to the user (i.e. `Vary: Cookie`) in which case the entry will still be stored in a shared — but now less accessible — manner"	Cleanup/optimization	closed	HTTP handling	1.8	Normal	fixed			Accepted	1	0	0	0	0	0