Fix: invalid Cache-Control directives for REST package

1. There was a typo on the `must-revalidate` directive (missing dash) 2. The `Cache-Control` header didn't completely prevent HTTP caching 3. The `Last-Modified` header is advantageously replaced by right `Expires` and `Cache-Control` headers

Author: helix

rest/jersey2/src/main/java/org/seedstack/seed/rest/jersey2/internal/CacheControlFeature.java

@@ -63,9 +63,19 @@ public void filter(ContainerRequestContext requestContext,
  switch (this.policy) {
  case NO_CACHE:
  MultivaluedMap<String, Object> headers = responseContext.getHeaders();
- headers.putSingle(HttpHeaders.LAST_MODIFIED, new Date());
- headers.putSingle(HttpHeaders.EXPIRES, -1);
- headers.putSingle(HttpHeaders.CACHE_CONTROL, MUST_REVALIDATE_PRIVATE);
+
+ // HTTP Caching is a tough subject thanks to the diversity of clients (browser and cache/proxy servers)
+ // See below a pretty good reference on HTTP Caching:
+ // https://stackoverflow.com/questions/49547/how-to-control-web-page-caching-across-all-browsers
+
+ // For client that doesn't support newer `Cache-Control` HTTP header
+ // https://tools.ietf.org/html/rfc7234#section-5.3
+ headers.putSingle(HttpHeaders.EXPIRES, 0);
+
+ // https://tools.ietf.org/html/rfc7234#section-5.2.2
+ // Theoretically, `no-store` only would be sufficient
+ // But for compatibility-purpose, adding other related headers doesn't hurt
+ headers.putSingle(HttpHeaders.CACHE_CONTROL, "no-store, no-cache, must-revalidate, private");
  break;
  case CUSTOM:
  break;