POSTas cacheable, although the overwhelming majority of cache implementations only support
200 OKresponse to a
GETrequest containing a resource like HTML documents, images or files,
301 Moved Permanentlyresponse,
404 Not Foundresult page,
206 Partial Contentresponse,
GETif something suitable for use as a cache key is defined.
Varyheader field, it must not use that cached response unless all header fields as nominated by the
Varyheader match in both the original (cached) request and the new request.
Cache-Control(HTTP/1.1) general-header field is used to specify directives for caching mechanisms in both requests and responses. Caching directives are unidirectional, meaning that a given directive in a request is not implying that the same directive is to be given in the response.
Cache-Control: no-cache, if the
Cache-Controlheader field is omitted in a request. Use Pragma only for backwards compatibility with HTTP/1.0 clients.
privatedirective indicates that the response is intended for a single user only and must not be stored by a shared cache. A private browser cache may store the response in this case.
ETagheader was part of the response for a resource, the client can issue an If-None-Match in the header of future requests – in order to validate the cached resource.
200 OK, or it can return
304 Not Modified(with an empty body) to instruct the browser to use its cached copy. The latter response can also include headers that update the expiration time of the cached document.
Cache-control: max-age=Nheader is specified, then the freshness lifetime is equal to N,
Last-Modifiedheader is present, then the freshness lifetime is equal to the value of the
Dateheader minus the value of the
Last-Modifiedheader divided by 10.
X-Forwarded-Hostheader has been used by the application to generate an Open Graph URL inside a meta tag. The next step is to explore whether it's exploitable – start with a simple XSS payload:
Cache Control: no-cacheheader dissuade you – it's always better to attempt an attack than assume it won't work.