I would also like to sort this out - I know it has been discussed before. I tried changing the error from a 403 forbidden to a 404 not found in squidguard_configurator.inc, thinking that the browsers would not cache a 404. But it didn't work, Firefox still seemed to cache it.
In my case, I have small sites that don't have a 24-hour internal server/system. Often in the evening there might be just pfSense, an AP and someone on a laptop. So I would like Squid/SquidGuard to do its filtering and send back reject messages entirely internally to the pfSense box (Alix nanobsd - so shouldn't add too many extras). But I need to find a message type to send back that does not get cached by popular browsers. These are the user scenarios:
a) Desktop that lives in the office all the time, page is permanently blacklisted - no problem caching the reject, it is likely to still be blacklisted in future anyway.
b) Accessing a page that has timed rules in SquidGuard - definitely do not want to cache, since the page WILL be allowed at some other time today.
c) Accessing rejected pages from a laptop (work owned or personal) - do not want to cache, the laptop will be on other networks, public WiFi etc, and it will really annoy the user if they have a bunch of cached reject pages stuck in their browser
Maybe the default reject page can contain "do not cache" directives in the header?