HTTP Caching Headers — Cache-Control, ETag, and Expires Explained
About HTTP Caching Headers
Complete guide to HTTP caching headers including Cache-Control directives, ETag validation, Expires headers, and troubleshooting stale cache issues. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.
Here are the key things to understand: Cache-Control is the primary header for controlling caching behavior in HTTP/1.1+. Common directives: max-age, no-cache, no-store, public, private, must-revalidate. ETag provides content-based cache validation — the server returns 304 Not Modified if content unchanged. Last-Modified/If-Modified-Since provides time-based cache validation. Expires header is the older HTTP/1.0 approach — Cache-Control takes precedence when both are present. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.
The most common reasons this occurs include: Stale content served from cache due to overly long max-age values. no-cache misunderstood — it means 'revalidate before using cache', not 'do not cache'. CDN caching old content after server-side updates. Browser serving cached responses for dynamic content that should be fresh. Identifying the root cause is the first step toward finding the right solution.
To resolve this, follow these recommended steps: Set Cache-Control: no-store for sensitive data (banking, medical) to prevent any caching. Use Cache-Control: public, max-age=31536000 for static assets with content hashes in filenames. Implement ETag headers for dynamic content that changes infrequently. Use Cache-Control: no-cache for content that should always be revalidated before display. Add Vary header when response differs by Accept-Encoding, Accept-Language, or other request headers. Purge CDN cache after deployments: use your CDN's purge API or deploy with new asset URLs. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.
This article is part of our HTTP Status Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.
Quick Answer
What is the difference between no-cache and no-store?
no-cache allows caching but requires revalidation with the server before each use. no-store prohibits caching entirely — nothing is stored on disk or in memory.
Overview
Complete guide to HTTP caching headers including Cache-Control directives, ETag validation, Expires headers, and troubleshooting stale cache issues.
Key Details
- Cache-Control is the primary header for controlling caching behavior in HTTP/1.1+
- Common directives: max-age, no-cache, no-store, public, private, must-revalidate
- ETag provides content-based cache validation — the server returns 304 Not Modified if content unchanged
- Last-Modified/If-Modified-Since provides time-based cache validation
- Expires header is the older HTTP/1.0 approach — Cache-Control takes precedence when both are present
Common Causes
- Stale content served from cache due to overly long max-age values
- no-cache misunderstood — it means 'revalidate before using cache', not 'do not cache'
- CDN caching old content after server-side updates
- Browser serving cached responses for dynamic content that should be fresh
Steps
- 1Set Cache-Control: no-store for sensitive data (banking, medical) to prevent any caching
- 2Use Cache-Control: public, max-age=31536000 for static assets with content hashes in filenames
- 3Implement ETag headers for dynamic content that changes infrequently
- 4Use Cache-Control: no-cache for content that should always be revalidated before display
- 5Add Vary header when response differs by Accept-Encoding, Accept-Language, or other request headers
- 6Purge CDN cache after deployments: use your CDN's purge API or deploy with new asset URLs