Directive "Pragma" no-cache

Issue #1483 resolved
Andrii Deinega created an issue

Both specifications and may omit the “Pragma“ directives.

This is a backward compatibility directive for old HTTP 1.0, and this directive is for an HTTP request, not a response. There was a discussion on that in OAuth2 WG here quite long ago.

In addition to that, the Cache-Control may include only “no-store“, as it already includes “no-cache” per

Comments (12)

  1. Michael Jones

    What is the specific specification change you are requesting? I can’t tell from the issue description.

  2. Andrii Deinega reporter

    I suggest removing all uses of “Pragma: no-cache“. The same applies to the OpenID Connect Core specification.

    Plus, change

    Cache-Control: no-cache, no-store


    Cache-Control: no-store

    BTW, the core specification uses the latter.

  3. Michael Jones

    I’m curious @Brian Campbell ,@Filip Skokan , and @Joseph Heenan what you think of this suggestion.

  4. Filip Skokan

    I agree with removing pragma. I will defer the “content of cache-control“ to others more versed in the semantics.

  5. Brian Campbell

    Definitely remove pragma.

    And, as far as I understand it, no-store is the strongest anti-cache directive that is sufficient alone and the one that actually means ‘don’t cache this' so Cache-Control: no-store is okay.

  6. Joseph Heenan

    I agree with changing Cache-Control to just no-store, and doing so brings logout into line with Connect & RFC6749.

    I don’t know what to do about Pragma. Both OIDCC and RFC6749 explicitly have a MUST for pragma in token endpoint responses, though it does seem to have been dropped in OAuth 2.1. Removing it from logout likely makes sense. Is removing Pragma from OIDCC in an errata possible?

  7. Andrii Deinega reporter

    What’s also quite interesting about the cache-control HTTP header is that it holds cache directives not only for responses but for requests as well. The “no-store“ directive

    The "no-store" request directive indicates that a cache MUST NOT
    store any part of either this request or any response to it. This
    directive applies to both private and shared caches. "MUST NOT
    store" in this context means that the cache MUST NOT intentionally
    store the information in non-volatile storage, and MUST make a
    best-effort attempt to remove the information from volatile storage
    as promptly as possible after forwarding it.


    It means that it might make sense to use this directive for certain requests that contain sensitive data hoping that, for example, the browser will make an attempt to remove it from the memory. Of course, there is no guarantee for that and RFC 7234 says

    This directive is NOT a reliable or sufficient mechanism for ensuring privacy.

    Although I believe, the same applies to any other directives.

  8. Log in to comment