Three main headers control caching whenever a client fetches a resource over HTTP:
Cache-Control - client cache control, defined for HTTP1.1Pragma - client cache control, defined for HTTP1.0Expires - proxy cache control, defined for both HTTP1.1 and HTTP1.0For each of those protocols, the headers should reflect the values:
Cache-Control → no-cache, no-store, must-revalidatePragma → no-cacheExpires → 0
Note that other values can be set, such as private that, per definition, may implicitly make the browser not cache a resource - however the meaning of private refers to the fact that the resource is intended for a single user and must not be cached by a shared cache (RFC2616 section 14.9.1) which is different from the meaning of "not caching the resource under any circumstance".