How HTTP caching works: Cache-Control header explained

Cache-Control: Commanding the Cache

The Cache-Control response header tells every cache between your server and the user how to store and serve your response. Get it wrong and you get stale content or zero caching benefit.

Key directives

# Cache for 1 hour in browser and CDN
Cache-Control: public, max-age=3600

# Cache in browser only (not CDN), revalidate after 10 minutes
Cache-Control: private, max-age=600

# Never cache — always fetch fresh (sensitive data)
Cache-Control: no-store

# Cache but always revalidate before serving
Cache-Control: no-cache

# CDN caches for 1 day, browser for 10 minutes
Cache-Control: public, s-maxage=86400, max-age=600

# Serve stale while revalidating in background
Cache-Control: public, max-age=3600, stale-while-revalidate=86400

no-store vs no-cache

no-store means do not write anything to disk or memory — the response contains sensitive data (banking pages, personal dashboards). no-cache means you may store it, but always check with the server before serving it. If the server confirms the content has not changed, it returns a 304 response and the cache serves the stored copy.

public vs private

public means any cache — CDN, shared proxy — may store and serve the response. private means only the individual user's browser may cache it. Use private for any response containing personalized or user-specific data to prevent one user's data being served to another via a shared CDN.