Because we protect .PDF files from anonymous users, we have a custom handler so we have an entry

We also made a change to the http headers to add "cache-control: no-cache,no-store" via IIS 7 management which creates web.config entries under system.webserver element as follows:

<httpProtocol>

  <customHeaders>
    <clear />
    <add name="cache-control" value="no-cache,no-store" />
  </customHeaders>

</httpProtocol>

When I review the Response headers in a burpsuite session, I see for .aspx pages: cache-control: no-store,no-cache,no-store

But for PDF pages:

Cache-Control: private,no-cache,no-store

My goal would be to get everything to just "no-cache, no-store". I am not sure what I am missing. There are no other cache settings in the web.config. Please advise on how to remove "private" from PDF pages and extra no-store from all else. Other static pages that go through the System.Web.StaticFileHandler, and they also have the "no-store,no-cache,no-store".

Although this post is now a few years old, I thought I would share my solution that may save someone hours of head-scratching.

I have an MVC 4 site setup using IIS, and my aim was to have IIS add headers to certain files (defined by location), by using the <customHeaders> section. The 'cache-control' values I had in the <customHeaders> section were being appended to the end of 'cache-control: private', magically being added by IIS.

This was because of the runAllManagedModulesForAllRequests setting in my web.config being set to true

<system.webServer>
    <modules runAllManagedModulesForAllRequests="true">
    </modules>
</system.webServer>

This setting was causing one of the IIS Modules (I don't know which) to append the 'cache-control' header to every file being requested from IIS.

So the solution is to set this to false, and manage each of your modules seperatley using the preCondition attribute on each.

The runAllManagedModulesForAllRequests setting was required by earlier versions of MVC because extensionless routing would not work without it. This has since been fixed, more details here

http://blogs.msdn.com/b/tmarq/archive/2010/04/01/asp-net-4-0-enables-routing-of-extensionless-urls-without-impacting-static-requests.aspx

Useful reading on the use of runAllManagedModulesForAllRequests

http://weblog.west-wind.com/posts/2012/Oct/25/Caveats-with-the-runAllManagedModulesForAllRequests-in-IIS-78

I can't tell you why IIS 7 is adding "private" to the cache control, but I can show you how I'm getting rid of it in my own ASHX-based pass-through proxy (see 1st comment below Original Post).

public class proxy : IHttpHandler
{
    public void ProcessRequest(HttpContext context)
    {
        HttpResponse response = context.Response;

        // Remove the 'private' string value from the response.CacheControl member
        if (response.CacheControl == "private")
        {
            response.CacheControl = String.Empty;
        }

        // Do other stuff
    }
}

This won't work if you're using the built-in Cassini web development server in Visual Studio. To mess with headers, you need to switch to a full-blown IIS Web Server in your development environment.