Information on using all three headers and how Internet Explorer supports them can be found at
http://support.microsoft.com/kb/q234067/.
Expires
The Expires header is part of both the HTTP 1.0 and 1.1 specifications, and should be supported by every major and minor browser in use. Per the specification, the Expires header does not prevent local caching of the resource, but rather tells the browser to check for a new version after a particular date. The Expires header is set to either an absolute date and time to indicate the expiration of the page's content, or a value of -1 to indicate immediate expiration. For your dynamically generated pages, it's suggested to set Expires to a value of -1; for static pages, or ones that change infrequently (daily or longer), it's suggested to set Expires to a specific date value slightly before the next expected update.
Also per the specification, using the browser's Back button should display pages even past their expiration date. As such, setting the Expires header is not enough, but every page should have an Expires value.
Pragma: no-cache
This header is part of the HTTP 1.0 and 1.1 specifications. The Pragma: no-cache header is not meant to control browser caching of server responses, but is intended to signal proxy servers to expire the request and properly forward any other similar requests to the web server.
Recent versions of Internet Explorer support the use of Pragma: no-cache to expire responses, but this implementation is not supported by version 5 or earlier, and may not be supported by many other browsers, either. You may see this header in a number of examples online, but since it is actually part of the request, it is recommended you do not use it in the response stream.
Cache-Control
This header is part of the HTTP 1.1 specification only. Most browsers and proxy servers in use today should support HTTP 1.1, but the browser option can be configured by the user. It's probably safe to assume that devices contacting your site support this header, but you cannot count on that to be the case.
You can set Cache-Control to several values:
- Public: Content can be stored in public shared caches. Good for your home page and any other publicly available pages.
- Private: Content can be stored only in private cache. Proxy servers should not store the content unless they support private caching. Useful for pages with user interaction; a better method is No-store (see below).
- No-cache: Content may not be cached. This is the highest security setting, and should be used for all pages that contain sensitive information.
- No-store: A better form of Private. Content may be cached for the length of the session, but not archived.
All applications should set the Cache-Control of their pages.