What is the difference between no-cache and no-store?

no-store forbids any storage of the response — it must be fetched fresh every time. no-cache allows storage but requires the cache to revalidate with the origin (via ETag or Last-Modified) before reuse. no-cache is about validation; no-store is about not keeping the data at all.

How do max-age and s-maxage differ?

max-age sets the freshness lifetime in seconds for all caches. s-maxage overrides max-age for shared caches (CDNs, proxies) only, leaving the browser to use max-age. Use s-maxage to cache aggressively at the edge while keeping browsers conservative.

What does immutable do?

Cache-Control: immutable tells the browser the response will never change during its freshness lifetime, so it should not revalidate even on a page reload. It is ideal for fingerprinted static assets like app.4f3a.js that get a new URL whenever content changes.

Why does the Vary header matter for CDNs?

Vary lists request headers that change the response, so the cache stores a separate copy per value. Vary: Accept-Encoding is safe and common; Vary: User-Agent fragments the cache into thousands of entries and effectively disables CDN caching, so avoid it.

What is stale-while-revalidate?

stale-while-revalidate lets a cache serve a stale response immediately while it fetches a fresh copy in the background. The user gets a fast response and the cache is updated for the next request, smoothing over origin latency without blocking.

HTTP Cache Header Reference

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

HTTP caching is controlled by a handful of response headers, and small differences between directives have large effects on performance and correctness. This reference covers the Cache-Control directives, the validators (ETag, Last-Modified), the freshness headers (Expires, Age), and Vary, with notes on how browsers and CDNs interpret each.

How it works

A cache decides whether to reuse a stored response by checking freshness then validation. Freshness comes from Cache-Control: max-age (or the older Expires date): while the response age is below the limit, it is served without contacting the origin. The current age is reported in the Age header.

Once a response goes stale, the cache validates it. If the origin sent an ETag or Last-Modified, the cache sends a conditional request (If-None-Match / If-Modified-Since). The origin replies 304 Not Modified with no body if nothing changed, saving bandwidth, or 200 with fresh content.

Shared caches (CDNs, proxies) honour extra directives — s-maxage, public, private, proxy-revalidate — that let you cache differently at the edge than in the browser. Vary tells the cache which request headers produce different responses so it stores a separate variant per value.

Tips and examples

Fingerprinted assets: Cache-Control: public, max-age=31536000, immutable.
HTML you want fresh but cacheable at the edge: Cache-Control: public, max-age=0, s-maxage=300.
Never cache sensitive responses: Cache-Control: no-store.
Keep Vary minimal — Accept-Encoding is fine, User-Agent destroys hit rates.
Use stale-while-revalidate and stale-if-error to hide origin latency and outages from users.