Explicitly disable caching for REST services

Question

I am to apply Cache-Control: must-revalidate,no-cache,no-store to all responses from out backend REST services. I have two questions about it:

• Is it common to do so? For some reason I was under the impression that it's not necessary, but I have no source to back this claim (yet).
• Is the value I mentioned above really sufficient, or should I set more?

Edit: found this: https://devcenter.heroku.com/articles/increasing-application-performance-with-http-cache-headers#cache-prevention. Is says browsers may choose to cache when nothing is explicitly configured, so it means yes, it should be configured if I want to make sure cache is disabled.

Answer 1

Short: yes, caches may cache the response even if no explicit controls are present, you need to explicitly disallow it.

The HTTP caching specification Section 3 lists when the response is forbidden to be cached. It suggests that the response may be cached as long as the response code is cacheable. A list of cacheable response codes is in the HTTP specification section 6.1:

Responses with status codes that are defined as cacheable by default (e.g., 200, 203, 204, 206, 300, 301, 404, 405, 410, 414, and 501 in this specification) can be reused by a cache with heuristic expiration unless otherwise indicated by the method definition or explicit cache controls...

"Heuristic expiration" is defined as the expiration time assigned when no explicit controls are present. (HTTP caching specification section 4.2.)