Summary

Currently there is no good way to set Cache-Control: no-store in Rails applications. One of the top StackOverflow answers currently suggests putting it directly into header set.

Unfortunately, it cannot later be overridden in specific/individual actions by calling e.g. expires_in 5.minutes. Resulting header in that case is Cache-Control: max-age=300, private, no-store (which doesn’t make much sense).

What’s the use of it

Couple examples:

• To prevent rendering stale content if browser return button is used (‘expires_now’ does not help).
• To prevent browser disk cache being used. In some situations it’s considered a privacy/security risk.

Naming it

Random suggestions:

• no_store
• http_cache_no_store

Implementing it

Gave it a quick go and currently have this: https://github.com/tadas-s/rails/compare/master...cache-control-no-store

Not exactly elegant, mostly because I want to be able to override no_store with expires_now/in/etc and vice versa. E.g. when there’s a controller/app wide default set in before_action, but some specific controller actions need to override it.

Any thoughts? Is this something worth considering for Rails core?

Other Information

• Mozilla developer docs for Cache-Control header.
• Somewhat similar conversation mentioning no-store in PR 19556 which didn’t go anywhere. Couldn’t find any more examples / discussion about this.

Many Thanks, Tadas

There’s now a PR for this.