After asking a question about sending “304 Not Modified” for images stored in the in the Google App Engine datastore, I now have a question about Cache-Control.

My app now sends Last-Modified and Etag, but by default GAE alsto sends Cache-Control: no-cache. According to this page:

The “no-cache” directive, according to the RFC, tells the browser that it should revalidate with the server before serving the page from the cache. [...] In practice, IE and Firefox have started treating the no-cache directive as if it instructs the browser not to even cache the page.

As I DO want browsers to cache the image, I've added the following line to my code:

self.response.headers['Cache-Control'] = "public"

According to the same page as before:

The “cache-control: public” directive [...] tells the browser and proxies [...] that the page may be cached. This is good for non-sensitive pages, as caching improves performance.

The question is if this could be harmful to the application in some way? Would it be best to send Cache-Control: must-revalidate to "force" the browser to revalidate (I suppose that is the behavior that was originally the reason behind sending Cache-Control: no-cache)

This directive insists that the browser must revalidate the page against the server before serving it from cache. Note that it implicitly lets the browser cache the page.