[ADP-370] HTTP Caching: Last-Modified

Procedures

1. The server includes a Last-Modified header in the response, indicating when the resource was last changed.
2. The client stores this value and includes it in subsequent requests using the If-Modified-Since header.
3. The server compares the If-Modified-Since date with the resource's last modification date.
4. If the resource hasn't been modified since the date in If-Modified-Since, the server responds with a 304 Not Modified status.

Guidance

• SHOULD use Last-Modified in the response header for caching when appropriate.
• MUST ensure that the Last-Modified date is accurate and updated whenever the resource changes.
• SHOULD implement proper handling of If-Modified-Since requests on the server-side.
• MAY use Last-Modified in conjunction with ETag for more robust caching mechanisms, as described in ADP-134.

Implementation Details

• The browser automatically attaches If-Modified-Since in subsequent requests. For non-browser clients (e.g., command-line tools like curl or server-side requests), you may need to manually include the If-Modified-Since header.
• Servers should implement a reliable method to track and update the Last-Modified date. This could involve database timestamps, file system metadata, or other appropriate mechanisms.
• When responding to an If-Modified-Since request:
  • If the resource has not been modified, return a 304 Not Modified status with no body.
  • If the resource has been modified, return a 200 OK status with the full resource and an updated Last-Modified header.

Best Practices

1. Use Last-Modified for resources that change infrequently and have a clear last modification time.
2. Combine Last-Modified with ETag for more precise caching control, as outlined in ADP-134.
3. Ensure your server's clock is synchronized to avoid issues with time-based caching.
4. Be cautious with dynamically generated content; ensure the Last-Modified date accurately reflects content changes.
5. Consider using Cache-Control headers in addition to Last-Modified for more granular cache control, as discussed in ADP-134.

Example

Server Response (Initial Request)

HTTP/1.1 200 OK
Content-Type: application/json
Last-Modified: Wed, 21 Oct 2023 07:28:00 GMT
Cache-Control: public, max-age=3600

{
  "data": "This is the resource content"
}

Subsequent Client Request

GET /resource HTTP/1.1
If-Modified-Since: Wed, 21 Oct 2023 07:28:00 GMT

Server Response (Not Modified)

HTTP/1.1 304 Not Modified

Security Considerations

• Ensure that Last-Modified dates do not reveal sensitive information about your system or update patterns.
• Be aware that clients can manipulate the If-Modified-Since header; always validate it server-side.
• Consider the implications of caching on sensitive or user-specific data.

References

• RFC 9110 Conditional Requests
• MDN Web Docs: Last-Modified
• MDN Web Docs: If-Modified-Since