22Tem
Cache-control and TLS termination proxies
My website is served with TLS and does not use a (TLS-terminating) CDN. Is it still advisable to use Cache-Control: private
for protected pages to account for (e.g. corporate) TLS termination proxies on the users‘ end (even though it is not possible to avoid content inspection by these proxies)?
Also, while the RFC states "that a shared cache MUST NOT store the response", Cloudflare says that a "response with a ‘private’ directive can only be cached by the client and never by an intermediary agent, such as a CDN or a proxy." Equating of "must not" with "can not" is valid for RFC-compliant intermediary agents, but in practice, proxies might be configured to ignore the Cache-control
header. Is this correct?