Right now we depend on zeus to do this by looking at cookies, but setting the no-cache header gives us stronger privacy control.
When we do this, let's not overwrite cache-control if it's already there (eg. the statistics csvs/json).
We need to manage our own HTTP caching once apps start requiring login.
We turned off HTTP caching. Not reopening blocked bug because that's how the rules currently work.