The correct minimum set of headers that works across all mentioned browsers:
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0
Using PHP:
header('Cache-Control: no-cache, no-store, must-revalidate'); // HTTP 1.1.
header('Pragma: no-cache'); // HTTP 1.0.
header('Expires: 0'); // Proxies.
Using Java Servlet:
response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
response.setDateHeader("Expires", 0); // Proxies.
Using ASP.NET:
Response.AppendHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
Response.AppendHeader("Pragma", "no-cache"); // HTTP 1.0.
Response.AppendHeader("Expires", "0"); // Proxies.
Using Ruby on Rails:
response.headers["Cache-Control"] = "no-cache, no-store, must-revalidate" // HTTP 1.1.
response.headers["Pragma"] = "no-cache" // HTTP 1.0.
response.headers["Expires"] = "0" // Proxies.
Using HTML:
<meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
<meta http-equiv="Pragma" content="no-cache" />
<meta http-equiv="Expires" content="0" />
The Cache-Control
is per the HTTP 1.1 spec for clients (and implicitly required by some browsers next to Expires
), the Pragma
is per the HTTP 1.0 spec for clients and proxies and Expires
is per the HTTP 1.1 spec for clients and proxies. Other Cache-Control
parameters are irrelevant if the abovementioned three are specified. The Last-Modified
header as included in most other answers here is only intersting if you actually want to cache the request, so you don't need to specify it at all.
Note that when the page is served over HTTP and a header is present in both the HTTP response headers and the HTML meta tags, then the one specified in the response header will get precedence over the HTML meta tag. The HTML meta tag will only be used when the page is viewed from local disk file system. See also W3 HTML spec chapter 5.2.2. Take care with this when you don't specify them programmatically, because the webserver can namely include some default values. To verify the one and other, you can see/debug them using Firebug Net panel.