Will content requested over https still be cached by web browsers or do they consider this insecure behaviour? If this is the case is there anyway to tell them it's ok to cache?
A:
I'm trying to figure out why they wouldn't cache files received over https without the cache-expiry (or hints in the URL, such as a ? with parameters in the URL) telling them otherwise?
Have you checked your own cache?
Tanktalus
2008-10-06 13:49:58
+14
A:
By default web browsers should cache content over HTTPS the same as over HTTP, unless explicitly told otherwise via the HTTP Headers received.
This link is a good introduction to setting cache setting in HTTP headers.
is there anyway to tell them it's ok to cache?
This can be achieved by setting the max-age value in the Cache-Control header to a non-zero value, e.g.
Cache-Control: max-age=3600
will tell the browser that this page can be cached for 3600 seconds (1 hour)
ConroyP
2008-10-06 14:25:45
https content is not cached to disk by firefox, opera, or chrome. IE does cache it to disk.
menko
2009-06-27 13:27:56
Does anyone know if WebKit browsers will now cache https content?
Adam
2010-10-27 20:44:41
A:
The paranoid option is to never cache HTTPS, because it should not be readable by anybody outside of the current session, including others on the local computer reading out of the local cache. How paranoid the creators of browsers are varies.
ephemient
2008-10-06 14:30:16
+6
A:
It depends on the browser.
For example, in Internet Explorer, you to to Tools > Internet Options > Advanced tab > Security section > Do not save encrypted pages to disk. It appears to be unchecked by default in IE6, 7 and 8 Beta 2.
I tried to find a similar setting in Firefox but my limited research did not identify any specific setting in the UI that would do that. There is probably a setting in about:config that would stop caching of https content, but again, I wasn't able to find anything doing some limited searching on Google.
In general it appears browsers will cache content received over https unless instructed otherwise.
Grant Wagner
2008-10-06 14:30:28
+13
A:
Yes, they will. By default, Firefox doesn't cache SSL objects on disk, but Firefox 3+ now caches them on disk as well provided they have a "Cache-control:public".
It's a privacy feature.
I'm not sure about other browsers. Setting "Cache-control:public" on objects which are public (i.e. not user-specific) is probably a good idea.
MarkR
2008-10-06 14:30:32
Correct, with one caveat: http://blogs.msdn.com/ieinternals/archive/2010/04/21/Internet-Explorer-May-Bypass-Cache-for-Cross-Domain-HTTPS-Content.aspx
EricLaw -MSFT-
2010-04-22 03:55:53
It appears then, that the general trend is towards allowing caching of HTTPS objects; this is normally a Good Thing, as developers should be telling the browser not to cache objects at all if they are privacy-sensitive, and allowing it to do so when they are not (e.g. images, css, which is very performance-benficial especially on HTTPS). Thanks for that.
MarkR
2010-04-22 20:44:43
+1
A:
Apparently Firefox does not cache https content (there is an open bug regarding it). Internet Explorer will respect the headers and cache appropriately.
Edit: Firefox3 does now support caching: http://blogs.gnome.org/jamesh/2008/05/01/firefox-ssl/
slashnick
2008-10-06 14:33:30
Bug seems to have been fixed since late 2007, now stored to disk - available as a pref: https://bugzilla.mozilla.org/show_bug.cgi?id=309368#c19
ConroyP
2008-10-06 14:39:53
If you press F5, Firefox will send a request with max-age=0 in it (normally resulting in a 304). Clicking a link won't send a request if the item is properly cached.
Greg
2009-02-13 14:41:17
+2
A:
There is a very nice problem concerning HTTPS caching in IE, namely, there are times, that, because certain object (e.g., an embedded ActiveX) is declared non-cacheable (via Pragma: no-cache, or via Cache-Control), it will not be displayed at all. See, for example, here:
+1
A:
Yes browsers will cache content over HTTPS check this link http://neopatel.blogspot.com/2010/02/firefox3-and-caching-https-content.html
Kalpesh Patel
2010-02-09 15:56:10