OWASP建议如下:

尽可能确保缓存控制HTTP头设置为无缓存，无存储，必须重新验证，私有;并且pragma HTTP头设置为无缓存。

<IfModule mod_headers.c>
    Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"
    Header set Pragma "no-cache"
</IfModule>

要在HTML中使用缓存控制，您可以使用元标记，例如。

<meta http-equiv="Cache-control" content="public">

内容字段中的值定义为下面四个值之一。

Cache-Control头的一些信息如下

HTTP 1.1. Allowed values = PUBLIC | PRIVATE | NO-CACHE | NO-STORE. Public - may be cached in public shared caches. Private - may only be cached in private cache. No-Cache - may not be cached. No-Store - may be cached but not archived. The directive CACHE-CONTROL:NO-CACHE indicates cached information should not be used and instead requests should be forwarded to the origin server. This directive has the same semantics as the PRAGMA:NO-CACHE. Clients SHOULD include both PRAGMA: NO-CACHE and CACHE-CONTROL: NO-CACHE when a no-cache request is sent to a server not known to be HTTP/1.1 compliant. Also see EXPIRES. Note: It may be better to specify cache commands in HTTP than in META statements, where they can influence more than the browser, but proxies and other intermediaries that may cache information.

OWASP建议如下:

尽可能确保缓存控制HTTP头设置为无缓存，无存储，必须重新验证，私有;并且pragma HTTP头设置为无缓存。

<IfModule mod_headers.c>
    Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"
    Header set Pragma "no-cache"
</IfModule>

元缓存控制标记允许Web发布者定义缓存应该如何处理页面。它们包括声明什么应该可缓存、什么可以由缓存存储、修改过期机制以及重新验证和的指令 重新加载控制。

允许的取值为:

Public -可以缓存在公共共享缓存中 私有-只能在私有缓存中缓存 no-Cache -可能不会被缓存 no-Store -可以缓存但不存档

请注意区分大小写。在网页的源代码中添加以下元标签。标签末尾拼写的区别在于使用“/> = xml”或“> = html”。

    <meta http-equiv="Cache-control" content="public">
    <meta http-equiv="Cache-control" content="private">
    <meta http-equiv="Cache-control" content="no-cache">
    <meta http-equiv="Cache-control" content="no-store">

- - > MetaTags来源

对于Apache服务器，您应该检查mod_expires设置Expires和Cache-Control头。

或者，你可以使用Header指令自己添加Cache-Control:

Header set Cache-Control "max-age=290304000, public"

这是我在实际网站中使用过的最好的。htaccess:

<ifModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</ifModule>

##Tweaks##
Header set X-Frame-Options SAMEORIGIN

## EXPIRES CACHING ##
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType image/gif "access 1 year"
ExpiresByType image/png "access 1 year"
ExpiresByType text/css "access 1 month"
ExpiresByType text/html "access 1 month"
ExpiresByType application/pdf "access 1 month"
ExpiresByType text/x-javascript "access 1 month"
ExpiresByType application/x-shockwave-flash "access 1 month"
ExpiresByType image/x-icon "access 1 year"
ExpiresDefault "access 1 month"
</IfModule>
## EXPIRES CACHING ##

<IfModule mod_headers.c>
    Header set Connection keep-alive
    <filesmatch "\.(ico|flv|gif|swf|eot|woff|otf|ttf|svg)$">
        Header set Cache-Control "max-age=2592000, public"
    </filesmatch>
    <filesmatch "\.(jpg|jpeg|png)$">
        Header set Cache-Control "max-age=1209600, public"
    </filesmatch>
    # css and js should use private for proxy caching https://developers.google.com/speed/docs/best-practices/caching#LeverageProxyCaching
    <filesmatch "\.(css)$">
        Header set Cache-Control "max-age=31536000, private"
    </filesmatch>
    <filesmatch "\.(js)$">
        Header set Cache-Control "max-age=1209600, private"
    </filesmatch>
    <filesMatch "\.(x?html?|php)$">
        Header set Cache-Control "max-age=600, private, must-revalidate"
      </filesMatch>
</IfModule>