Pragma no-cache

For technical support and bug reports for all editions of CSS HTML Validator, including htmlval for Linux and Mac.
User avatar
RSteinwand
Rank VI - Professional
Posts: 596
Joined: Mon Jun 09, 2008 2:12 pm
Location: Fargo, ND

Pragma no-cache

Post by RSteinwand »

Hi Albert,

A PCI audit a few years ago (before HTML5) recommended we add this:

Code: Select all

<meta http-equiv="pragma" content="no-cache"><meta http-equiv="cache-control" content="no-store,no-cache">
... yet CSE complains and calls it an error.
The "pragma" pragma directive specified by the "http-equiv" attribute is not recognized. Consider removing this tag. Visit https://www.w3.org/TR/html5/document-me ... directives and https://wiki.whatwg.org/wiki/PragmaExtensions for more information.

The "cache-control" pragma directive is not allowed and not used in HTML5. Furthermore, placing caching instructions into meta tags is not recommended because proxies may not handle them. Instead, use real HTTP headers to send caching instructions.
Wikipedia lists both as valid: https://en.wikipedia.org/wiki/List_of_H ... der_fields

This thread throws a little more light on the subject: http://stackoverflow.com/questions/1031 ... ol-headers
Pragma is the HTTP/1.0 implementation and cache-control is the HTTP/1.1 implementation of the same concept. They both are meant to prevent the client from caching the response. Older clients may not support HTTP/1.1 which is why that header is still in use.
Since requiring TLS 1.2 for all secure hits, I doubt we'd have too many "older clients" since IE9 isn't even allowed and all secure hits return HTTP/1.1.

No doubt using headers for all secure pages would be the best route and I'll have to see if I can add it to our web application and see if it works to simply add a no-cache header without removing existing headers. I wouldn't be surprised if a scan would suggest re-adding it.

What's your impression?
Rick
User avatar
Albert Wiersch
Site Admin
Posts: 3785
Joined: Sat Dec 11, 2004 9:23 am
Location: Near Dallas, TX

Re: Pragma no-cache

Post by Albert Wiersch »

Hi Rick,

The Wikipedia article is talking about HTTP header fields and not meta tags in HTML.

Also, CSE HTML Validator should generate warnings, not errors, about those meta tags (unless you've changed it from the default). Is CSE HTML Validator really generating error messages for those meta tags (instead of warnings)?

I can't find anywhere that says those meta tags are "good" HTML so I think the warnings are justified for those meta tags.

If you don't want those warning generated then the easiest thing to do would be to disable those messages via exact text match. Actually, you could disable the one for "cache-control" by message ID and it would affect only cache-control. The message for "pragma", if disabled by message ID, would affect both "pragma" and values other than "pragma" so I would use exact text match for the "pragma" message. NOTE: In the next update the message for "pragma" should have a unique ID (2017042002) so it would be OK to disable it by message ID then (but not now).

Does this seem reasonable?
Albert Wiersch, CSS HTML Validator Developer • Download CSS HTML Validator FREE Trial
User avatar
RSteinwand
Rank VI - Professional
Posts: 596
Joined: Mon Jun 09, 2008 2:12 pm
Location: Fargo, ND

Re: Pragma no-cache

Post by RSteinwand »

Sounds good.

Thanks Albert.
Rick
User avatar
moganero
Rank II - Novice
Posts: 40
Joined: Tue Feb 01, 2005 5:47 am
Location: Newcastle under Lyme, UK

Re: Pragma no-cache

Post by moganero »

I'm getting a similar message with the Batch Wizard:
A "Pragma" HTTP header was sent with the server response but this header is only defined as applicable to requests from a client. Consider the "Cache-Control" header instead unless "Pragma" is needed for backwards compatibility. Visit https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Pragma for more information. The full header sent was: Pragma: no-cache
I am not using a meta-tag, so I'm puzzled as to where the Pragma header originates. It only happens on a couple of pages on the site https://puerto-de-mogan.com/ and searching the source code for the site doesn't find any mention of Pragma, no-cache or Cache-Control.
User avatar
Albert Wiersch
Site Admin
Posts: 3785
Joined: Sat Dec 11, 2004 9:23 am
Location: Near Dallas, TX

Re: Pragma no-cache

Post by Albert Wiersch »

moganero wrote: Thu Aug 09, 2018 8:00 am I am not using a meta-tag, so I'm puzzled as to where the Pragma header originates. It only happens on a couple of pages on the site https://puerto-de-mogan.com/ and searching the source code for the site doesn't find any mention of Pragma, no-cache or Cache-Control.
Have you checked your web server configuration including .htaccess file(s)? It may be originating there.
Albert Wiersch, CSS HTML Validator Developer • Download CSS HTML Validator FREE Trial
User avatar
moganero
Rank II - Novice
Posts: 40
Joined: Tue Feb 01, 2005 5:47 am
Location: Newcastle under Lyme, UK

Re: Pragma no-cache

Post by moganero »

Albert Wiersch wrote: Thu Aug 09, 2018 10:01 am
moganero wrote: Thu Aug 09, 2018 8:00 am I am not using a meta-tag, so I'm puzzled as to where the Pragma header originates. It only happens on a couple of pages on the site https://puerto-de-mogan.com/ and searching the source code for the site doesn't find any mention of Pragma, no-cache or Cache-Control.
Have you checked your web server configuration including .htaccess file(s)? It may be originating there.
I've looked at the .htaccess file and php.ini there doesn't appear to be anything in there. phpinfo.php shows lots of mentions of cache, but I don't know if those would be relevant. Not sure what I'd be looking for!