PW
Back to home

The Web Developer's Guide to HTTP Cache-Control

Feb 3, 2026

FrontendBackend

Imagine you run a local library. Every time someone wants to read a book, they have to walk all the way to your building, find the book, and check it out. This takes time and energy.

Now, imagine if you let people keep a copy of the book in their own living room. The next time they want to read it, they just grab it from the shelf. That is caching.

In the world of the web, Cache-Control is the set of instructions the server gives the browser to decide who gets to keep a copy of a file and for how long.

1. The "Expiration Date": max-age

This is the most common instruction. It tells the browser exactly how many seconds it can keep the file before it's considered "stale."

  • The Instruction: Cache-Control: max-age=3600
  • Layman's Term: "You can keep this for 1 hour (3600 seconds). Don't ask me for it again until that hour is up."
  • Best for: Static images, CSS files, or logo icons that don't change often.

2. The "Strict Parent": no-store

Sometimes, you have data that is too sensitive to be saved anywhere—like a bank balance or a private message.

  • The Instruction: Cache-Control: no-store
  • Layman's Term: "Do not write this down. Do not save this in your memory. Delete it the moment the user closes the tab."
  • Best for: Banking details, personal private info, or one-time tokens.

3. The "Check With Me First": no-cache

This name is a bit of a lie. It doesn't mean "don't cache"; it means "don't use the cache without asking me first."

  • The Instruction: Cache-Control: no-cache
  • Layman's Term: "You can keep a copy, but before you show it to the user, send me a quick ping to see if I've updated the original."
  • Best for: Your dashboard's main HTML page or your analytics data.

4. The "Private vs. Public"

Browsers aren't the only things that cache data. There are "middlemen" (CDNs or proxy servers) that sit between you and the user.

  • public: "Anyone can cache this. The browser, the CDN, even the coffee shop's Wi-Fi router."
  • private: "This is just for the user. The browser can save it, but the CDN shouldn't show it to anyone else."
  • Layman's Term: Public is a billboard; private is a personal letter.

5. The "I Promise It's Fresh": must-revalidate

Sometimes a browser might try to be "helpful" and show a stale file if the internet is slow. This tag forbids that.

  • The Instruction: Cache-Control: max-age=60, must-revalidate
  • Layman's Term: "You can use this for 60 seconds. But once that time is up, you must check with me. No excuses."

Comparison Summary

DirectiveCan the browser save it?Can the browser use it without asking?
max-ageYesYes (until it expires)
no-cacheYesNo(must validate every time)
no-storeNoNo
privateYesYes (only for that specific user)

Why should you care?

If you don't set these correctly:

  1. Too strict: Your server will crash because it's handling too many requests for files that haven't changed.
  2. Too loose: Your users will see an "old version" of your site even after you've pushed an update.