Page 1 of 1

Pragma no-cache

Posted: Thu Apr 20, 2017 9:49 am
by RSteinwand
Hi Albert,

A PCI audit a few years ago (before HTML5) recommended we add this:

Code: Select all

<meta http-equiv="pragma" content="no-cache"><meta http-equiv="cache-control" content="no-store,no-cache">
... yet CSE complains and calls it an error.
The "pragma" pragma directive specified by the "http-equiv" attribute is not recognized. Consider removing this tag. Visit https://www.w3.org/TR/html5/document-me ... directives and https://wiki.whatwg.org/wiki/PragmaExtensions for more information.

The "cache-control" pragma directive is not allowed and not used in HTML5. Furthermore, placing caching instructions into meta tags is not recommended because proxies may not handle them. Instead, use real HTTP headers to send caching instructions.
Wikipedia lists both as valid: https://en.wikipedia.org/wiki/List_of_H ... der_fields

This thread throws a little more light on the subject: http://stackoverflow.com/questions/1031 ... ol-headers
Pragma is the HTTP/1.0 implementation and cache-control is the HTTP/1.1 implementation of the same concept. They both are meant to prevent the client from caching the response. Older clients may not support HTTP/1.1 which is why that header is still in use.
Since requiring TLS 1.2 for all secure hits, I doubt we'd have too many "older clients" since IE9 isn't even allowed and all secure hits return HTTP/1.1.

No doubt using headers for all secure pages would be the best route and I'll have to see if I can add it to our web application and see if it works to simply add a no-cache header without removing existing headers. I wouldn't be surprised if a scan would suggest re-adding it.

What's your impression?

Re: Pragma no-cache

Posted: Thu Apr 20, 2017 3:57 pm
by Albert Wiersch
Hi Rick,

The Wikipedia article is talking about HTTP header fields and not meta tags in HTML.

Also, CSE HTML Validator should generate warnings, not errors, about those meta tags (unless you've changed it from the default). Is CSE HTML Validator really generating error messages for those meta tags (instead of warnings)?

I can't find anywhere that says those meta tags are "good" HTML so I think the warnings are justified for those meta tags.

If you don't want those warning generated then the easiest thing to do would be to disable those messages via exact text match. Actually, you could disable the one for "cache-control" by message ID and it would affect only cache-control. The message for "pragma", if disabled by message ID, would affect both "pragma" and values other than "pragma" so I would use exact text match for the "pragma" message. NOTE: In the next update the message for "pragma" should have a unique ID (2017042002) so it would be OK to disable it by message ID then (but not now).

Does this seem reasonable?

Re: Pragma no-cache

Posted: Fri May 19, 2017 12:52 pm
by RSteinwand
Sounds good.

Thanks Albert.

Re: Pragma no-cache

Posted: Thu Aug 09, 2018 8:00 am
by moganero
I'm getting a similar message with the Batch Wizard:
A "Pragma" HTTP header was sent with the server response but this header is only defined as applicable to requests from a client. Consider the "Cache-Control" header instead unless "Pragma" is needed for backwards compatibility. Visit https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Pragma for more information. The full header sent was: Pragma: no-cache
I am not using a meta-tag, so I'm puzzled as to where the Pragma header originates. It only happens on a couple of pages on the site https://puerto-de-mogan.com/ and searching the source code for the site doesn't find any mention of Pragma, no-cache or Cache-Control.

Re: Pragma no-cache

Posted: Thu Aug 09, 2018 10:01 am
by Albert Wiersch
moganero wrote: Thu Aug 09, 2018 8:00 am I am not using a meta-tag, so I'm puzzled as to where the Pragma header originates. It only happens on a couple of pages on the site https://puerto-de-mogan.com/ and searching the source code for the site doesn't find any mention of Pragma, no-cache or Cache-Control.
Have you checked your web server configuration including .htaccess file(s)? It may be originating there.

Re: Pragma no-cache

Posted: Thu Aug 09, 2018 10:20 am
by moganero
Albert Wiersch wrote: Thu Aug 09, 2018 10:01 am
moganero wrote: Thu Aug 09, 2018 8:00 am I am not using a meta-tag, so I'm puzzled as to where the Pragma header originates. It only happens on a couple of pages on the site https://puerto-de-mogan.com/ and searching the source code for the site doesn't find any mention of Pragma, no-cache or Cache-Control.
Have you checked your web server configuration including .htaccess file(s)? It may be originating there.
I've looked at the .htaccess file and php.ini there doesn't appear to be anything in there. phpinfo.php shows lots of mentions of cache, but I don't know if those would be relevant. Not sure what I'd be looking for!