Understand HTTP caching and validation

Follow the decisions a cache makes from storage through freshness and validator-based reuse.

  • caching
  • freshness
  • validation

Caching is a sequence of decisions

A cache first decides whether it can store a response. For a later request, it decides whether a stored response matches, whether it is fresh, and whether it can be reused directly, reused while stale under an explicit allowance, or validated with the origin.

“Cached” is therefore incomplete evidence. Record which cache acted and which decision it made.

HTTP/1.1 200 OK
Cache-Control: max-age=300
ETag: "manual-v4"
Vary: Accept-Encoding
Content-Type: text/html

Expected result: an eligible cache can treat the response as fresh for 300 seconds, match stored variants using Accept-Encoding, and later use the entity tag for validation. These fields do not prove that every cache stored it.

Freshness allows reuse without contacting the origin

An explicit freshness lifetime can come from s-maxage, max-age, or Expires according to cache type and precedence. A fresh stored response can usually be reused without validation. Its current age includes time across upstream caches, not merely time since the browser received it.

A stale response is not automatically deleted or wrong. It normally needs validation before reuse unless a request, response, disconnected operation, or cache extension permits stale reuse.

Validation asks whether the selected representation changed

Validators include entity tags and modification dates. A client sends a precondition such as If-None-Match with a stored validator. If the condition allows reuse for GET or HEAD, the server can return 304 Not Modified without response content, and the cache updates applicable stored metadata.

Validation is a network exchange. It can save representation transfer but still has request latency. Freshness and validation solve different parts of reuse.

no-cache is not no-store

no-cache permits storage but requires successful validation before reuse. The no-store directive tells caches not to store the request or response under its defined scope. Neither directive is a substitute for transport security or a complete privacy design.

Find the responsible cache

Browsers, service workers, forward proxies, reverse proxies, and CDNs can each cache. Compare Age, standard cache fields, relevant vendor fields, and controlled requests. A purge can remove evidence; identify the layer and key before changing policy.

Primary sources