What happens if you dont set either the Cache-Control or Expires header

If you don't set either the Cache-Control or Expires header on the response it does not mean that resource wont get cached at all or the browser will validate it with the originating server every time, instead how that is handled depends on your browser.

The HTTP Specification says " Since origin servers do not always provide explicit expiration times, HTTP caches typically assign heuristic expiration times, employing algorithms that use other header values (such as the Last-Modified time) to estimate a plausible expiration time. The HTTP/1.1 specification does not provide specific algorithms, but does impose worst-case constraints on their results. Since heuristic expiration times might compromise semantic transparency, they ought to used cautiously, and we encourage origin servers to provide explicit expiration times as much as possible."

That means, if you dont set Expires or Cache-Control and if your request is going through the proxy server then there is good chance the response will get cached based for different duration based on the algorithm used by the proxy or browser.

Internet Explorer
If you have a css style sheet say http_server_styles.css on your page and it does not have a cache related information, then when you go the page that has this style sheet, the IE will download that stylesheet and keep it until you close the browser. It wont check with originating server to see if the style sheet is changed until you close the browser.

But if you close the browser, reopen it and access the page, it will make a conditional get request to server, to check if the style sheet is actually changed, if not the server will respond with HTTP 304 NOt Modified. IF yes the server will return HTTP 200 with full body of the response

Firefox

The Firefox handles this differently, if you dont set the cache-control or expires header, Firefox will use the following formula to calculate expiration date


Expiration Time = Now + 0.1 * (Time since Last-Modified)


Ex. in my case the resource is not changed since 26th of March 2010, so it decides to catch the resource for 12 days i.e. till 31st of July 2010 like this