I have checked the FAQ, but I failed to get any clues from there. I have a simple HTTP server which sits behind a Squid 3 reverse proxy. Some of the dynamic content is only available for logged in users, and we have Squid do the RFC 2617 authentication for us. If the origin HTTP server goes down (it does happen :-/) Squid returns a cached response rather than an error message. This is bad because the cached response may have been generated for another user of the system, and so may contain sinsitive information. Now, I *thought* I had set up the HTTP headers in these responses to tell squid to *not* cache them, but clearly I have not understood something. Here are the headers (as seen from a browser hitting Squid): HTTP/1.x 200 OK Cache-Control: public, max-age=0 Etag: "MemberHomePage+43" Last-Modified: Mon, 01 Aug 2005 21:39:51 GMT Server: Swazoo/0.9.76-bb (Sydney) Date: Mon, 01 Aug 2005 21:39:51 GMT Content-Type: text/html Content-Length: 4576 X-Cache: MISS from squid.xxx.net X-Cache-Lookup: HIT from squid.xxx.net:80 Via: 1.0 squid.xxx.net (squid/3.0-PRE3-CVS) Connection: keep-alive So, my expectation was that the max-age would mean that no cached responses would be served - clearly wrong. Could someone point out my mistake, and perhaps point me to the place in the mountain of documentation I should be looking? Many thanks, Bruce