To start, the complete set is:
httpResponse.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1. httpResponse.setHeader("Pragma", "no-cache"); // HTTP 1.0. httpResponse.setDateHeader("Expires", 0); // Proxies.
The no-store and must-revalidate are required to get it to work in under each Firefox.
But, even after implementing the above filter, some pages are cached (accessible using browser's back button).
How did you test it? Those headers will actually prevent the browser from requesting the page from the browser cache instead of directly from the server. Best test is to have a Filter to listen on /* and add a debug statement in favor of:
HttpServletRequest httpRequest = (HttpServletRequest) request; String method = httpRequest.getMethod(); String URI = httpRequest.getRequestURI(); System.out.println(method + " request invoked on " + URI);
This should print the actual requests.
Also ensure that you don't override the headers in the JSP page itself using the HTML<meta>tags.
And other pages that are not cached, show Web Page Expired error in Internet Explorer.
You can only get this if the non-cached request was POST request, not a GET request. The GET requests will simply be requested from server again instead of from the browser cache.