RFC 7234

RFC 7234
Title	RFC 7234
Status	Internet Standard
Subject	HTTP/1.1 Caching
Authors	Paul Hoffman, Mark Nottingham
Published	2014
Series	RFC
Number	7234
Related	RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7235

RFC 7234 RFC 7234 specifies HTTP/1.1 caching semantics, defining how intermediaries and user agents store, reuse, and validate responses. It updates and refines caching behaviors previously defined in earlier HTTP specifications, aiming to improve interoperability among implementations such as web browsers, proxies, and content delivery networks. The document intersects with standards and organizations including the Internet Engineering Task Force Internet Engineering Task Force, the Internet Architecture Board Internet Architecture Board, the World Wide Web Consortium World Wide Web Consortium, and implementations by vendors like Mozilla Corporation, Google LLC, Microsoft Corporation, and academic groups at institutions such as Massachusetts Institute of Technology and Stanford University.

Overview

RFC 7234 defines cache roles (shared cache, private cache), cacheable response characteristics, and freshness models. It situates caching within the HTTP/1.1 suite alongside message syntax in RFC 7230 and semantics in RFC 7231, referencing validation mechanisms from RFC 7232 and range considerations from RFC 7233. The specification details the cacheability of responses with status codes like 200 OK, 301 Moved Permanently, 304 Not Modified and their interactions with headers such as Expires and Cache-Control. Implementers from groups like the IETF HTTP Working Group, operators of Akamai Technologies and Cloudflare, Inc. rely on its definitions to align behavior across servers, reverse proxies, and client agents such as Opera Software and Apple Inc.'s WebKit-based browsers.

Cache Controls and Directives

The document enumerates Cache-Control directives (e.g., max-age, public, private, no-store, no-cache) and explains precedence rules among them. These directives govern caches run by entities including content distribution systems at Amazon Web Services, enterprise appliances from F5 Networks, and open-source proxies like Squid (software) and Varnish (software). Interaction with conditional requests using validators (ETag, Last-Modified) ties to header semantics defined in companion RFCs and to implementations in web servers such as Apache HTTP Server, nginx, and Microsoft IIS. Operators of large-scale platforms like Facebook and Twitter apply these directives to manage bandwidth, latency, and origin load.

Validation and Invalidation

RFC 7234 specifies validation using validators (strong and weak ETags, Last-Modified) and the 304 Not Modified response, defining how caches perform conditional GETs and when stored entries are considered stale. Invalidation rules cover explicit actions (e.g., Cache-Control: no-cache) and implicit behaviors (e.g., certain status codes that are not cacheable). These mechanisms are critical for systems using reverse proxies in front of content management platforms such as WordPress and Drupal (software), and for API gateways deployed by organizations like Stripe and PayPal Holdings, Inc.. The spec also addresses cache revalidation across intermediaries used in cloud provider networks at Google Cloud Platform and Microsoft Azure.

Cache Storage and Replacement

Storage considerations include metadata retention, freshness lifetime calculation, and heuristics when explicit times are absent. Replacement policies (LRU, LFU) are not mandated but discussed in context of practical deployments by projects like Squid (software), Varnish (software), and edge platforms from Fastly. The RFC guides how caches should store partial content (range requests) and combined responses, relevant to multimedia delivery by services such as Netflix, Inc., YouTube, and software libraries used by Android (operating system) and iOS. Storage of sensitive headers and body content implicates compliance programs run by enterprises such as IBM and Oracle Corporation.

Security and Privacy Considerations

The specification highlights the risks of caching sensitive or authentication-protected responses and prescribes conservative defaults to avoid information leakage. It discusses interaction with authentication schemes such as those described in RFC 7235 and with transport-layer security deployed by certificate authorities like Let's Encrypt and vendors like DigiCert. Privacy concerns referenced relate to cross-user data exposure in shared caches operated by ISPs like Comcast Corporation or infrastructure providers such as Equinix. The guidance affects browser vendors (Mozilla Corporation, Google LLC, Apple Inc.) and enterprise security appliances from Palo Alto Networks and Cisco Systems, Inc..

Implementation and Interoperability

RFC 7234 aims to harmonize behavior across implementations, providing normative algorithms and examples for cache selection, validation, and freshness computation. Interoperability testing and conformance efforts have involved open-source projects (Apache Traffic Server, Squid (software), Varnish (software)) and standards test suites maintained by groups like the IETF HTTP Working Group. Commercial CDN and proxy vendors ensure compliance through feature documentation and compatibility testing with major web platforms including WordPress, Shopify, and enterprise stacks from Red Hat, Inc..

History and Relationship to Other RFCs

RFC 7234 is part of the RFC 7230–7235 set that collectively updates HTTP/1.1, obsoleting aspects of older specifications such as RFC 2616. It references, refines, and interoperates with RFC 7230 (message syntax), RFC 7231 (semantics), RFC 7232 (conditional requests), RFC 7233 (range requests), and RFC 7235 (authentication). The work emerged from discussions in the IETF and builds on implementations and operational experience from early web pioneers at institutions like CERN and companies such as Netscape Communications Corporation and Sun Microsystems. Category:Internet standards