HTTP's caching mechanism allows intermediary servers between a web server and its clients to cache responses according to set of heuristics. There are a number of approaches to this.
Expiration and validation
These mechanisms are server-side, implicit directives.
In requests clients will include an
If-Modified-Since header for all resources that already exist within their caches, containing the value of the
Date sent by the server in response.
The server can either:
- find that the resource has not been modified since this date and return a 304 Not Modified response; or
- serve the updated content with a new
The server can assign opaque values representing a file's content (e.g. a hash) which a client can store for use in subsequent requests. The protocol defines an optional "weak validator" syntax (prefixing the value with a
W/) to indicate semantic compatibility but not byte-for-byte compatibility.
For resources already in the cache, the client can send and
If-None-Match header with the value of the previous
ETag. If the resource remains unchanged the server may respond with a 304 Not Modified.
Can also be used to avoid collisions during a
POST with the
If-Match header, allowing the server to respond with a 412 Precondition Failed to signal that the resource has been modified while the user was completing a form.
These mechanisms are explicit, and both client-side and server-side.
Expires header can be sent to cause the content to expire at a specific time.
Clients can include
Cache-Control headers in requests:
max-age=seconds, relative to request time.
max-stale[=seconds]accepts a stale response, relative to request time.
min-fresh=secondsrequires a response will be fresh for the specified number of seconds.
no-cacheallows storage in caches, but forces revalidation.
no-storeforbids storage in any cache.
no-transformforbids caches/proxies modifying the response body,
only-if-cachedallows a client to prevent a cache from going out to an origin server to request a page. It should respond with a 504 Gateway Timeout if not.
Servers can include
Cache-Control headers in responses:
must-revalidateforbids caches from using their stale copies without revalidation with the origin server.
publicallows any cache to store the response, even if it'd otherwise be considered non-cacheable.
privateallows storage only in a user's browser.
must-revalidatefor shared caches.
Expiresheader, but only for shared caches.
Browsers typically provide multiple ways of triggering these behaviours:
- "Refresh" actions typically send
- "Hard refresh" actions typically send
Pragma: no-cache response header will behave the same way as