Cache-Control on API GET calls

[pnorman]

Currently the API sends a Cache-Control: max-age=0, private, must-revalidate header in node responses. RFC2616 gives the meaning of private as

Indicates that all or part of the response message is intended for a single user and MUST NOT be cached by a shared cache. This allows an origin server to state that the specified parts of the response are intended for only one user and are not a valid response for requests by other users. A private (non-shared) cache MAY cache the response.

whereas public is

Indicates that the response MAY be cached by any cache, even if it would normally be non-cacheable or cacheable only within a non- shared cache. (See also Authorization, section 14.8, for additional details.)

Given the nature of the GET API calls, public seems like a better fit.

[tomhughes]

Given the max-age=0 whether it is public or private is irrelevant as it always has to refetch the object anyway.

[pnorman]

Good point. We're currently sending no-cache on deleted and missing nodes, should we send the same as for found nodes?