Great question! Let's break down exactly what you need to know about preventing browser caching.

First, here are the key HTTP response headers you can use to block caching:

• Cache-Control: This is the primary header for controlling caching in modern browsers. To fully prevent caching, you'll want to use a combination of directives:
  • no-cache: Forces the browser to check with the server (via a validation request like ETag or Last-Modified) before using any cached copy.
  • no-store: Tells the browser to never store any part of the response—no caching at all, even for temporary use.
  • must-revalidate: Ensures that once the resource is considered expired, the browser can't use it without revalidating with the server.
• Pragma: A legacy HTTP/1.0 header, setting it to no-cache helps support older browsers that might not fully respect Cache-Control.
• Expires: Another HTTP/1.0 header; setting it to a past timestamp (like Thu, 01 Jan 1970 00:00:00 GMT or simply 0) tells browsers the resource is already expired.

Now, to answer your second question: Is just setting res.setHeader('cache-control','no-cache'); enough?

Short answer: No, not if you want to completely block any caching behavior. The no-cache directive only requires the browser to validate cached resources with the server before using them—it doesn't stop the browser from storing those resources in the first place.

If your goal is to ensure the browser never caches the resource (no storage, no reuse without full revalidation), you should use a more comprehensive configuration. Here's the recommended setup for most cases:

// Modern browsers + full cache block
res.setHeader('Cache-Control', 'no-cache, no-store, must-revalidate');
// Fallback for older HTTP/1.0 browsers
res.setHeader('Pragma', 'no-cache');
// Explicitly mark as expired for HTTP/1.0
res.setHeader('Expires', '0');

This combination covers both modern and legacy browsers, leaving no room for unintended caching.

内容的提问来源于stack exchange，提问作者Alexander Mills