What is the difference between max-age and s-maxage?

max-age applies to both browsers and CDNs. s-maxage applies to shared caches (CDNs) only and overrides max-age for those caches. Browsers ignore s-maxage.

What does the immutable directive do?

It tells browsers the response body will not change during the freshness lifetime, so they skip revalidation on page refresh. Only use it with fingerprinted assets where the filename changes on update.

What is must-revalidate?

It requires caches to revalidate once stale, and return 504 if origin is unreachable instead of serving stale. Use for pricing, inventory, or time-sensitive data where serving stale is unacceptable.

Cache-Control Directives Reference

Updated April 2026

Complete reference for every Cache-Control response directive — what it does, who respects it, and when to use it. Updated for 2026.

Response directives (set by server)

max-age=<seconds>

The response is fresh for the specified number of seconds after it was generated. After that it is stale. Both browsers and CDNs respect this.

Cache-Control: max-age=3600  # Fresh for 1 hour

s-maxage=<seconds>

Same as max-age but only for shared caches (CDNs, proxies). Browsers ignore s-maxage and use max-age. Use when you want different TTLs for browsers vs CDNs.

Cache-Control: max-age=60, s-maxage=3600  # Browser: 1min, CDN: 1hr

no-cache

The response may be stored but must be revalidated before every use. The browser sends a conditional request (ETag or Last-Modified). If unchanged, origin returns 304. If changed, full response returned.

Cache-Control: no-cache

no-store

The response must not be stored in any cache. Every request goes to origin. Use for sensitive, user-specific, or real-time data.

Cache-Control: no-store

private

Only the end user's browser may cache. CDNs and shared caches must not store. Does not prevent browser caching.

Cache-Control: private, max-age=300

public

Any cache — including CDNs — may store the response. Required for CDNs to cache responses that come with Set-Cookie or Authorization headers (which CDNs treat as private by default).

Cache-Control: public, max-age=3600

immutable

The response body will not change during the freshness lifetime. Caches skip revalidation on refresh. Only meaningful on resources with content-hashed filenames.

Cache-Control: public, max-age=31536000, immutable

must-revalidate

Once stale, the cache must revalidate before serving. Unlike default behaviour, must-revalidate means the cache cannot serve stale if origin is unreachable — it returns 504 instead.

Cache-Control: max-age=3600, must-revalidate

proxy-revalidate

Same as must-revalidate but only applies to shared caches. Browser caches are not affected.

Cache-Control: max-age=3600, proxy-revalidate

stale-while-revalidate=<seconds>

After max-age expires, the cache may serve stale for up to N additional seconds while fetching a fresh copy in the background. No user-visible latency during revalidation.

Cache-Control: max-age=60, stale-while-revalidate=300

stale-if-error=<seconds>

If the origin returns an error (5xx) or is unreachable, the cache may serve the stale response for N seconds. Improves resilience during origin outages.

Cache-Control: max-age=300, stale-if-error=86400

Request directives (set by browser)

These are sent by browsers in requests and generally do not need to be set manually.

Directive	What it does
`no-cache`	Browser asks cache to revalidate before serving (Ctrl+Shift+R)
`no-store`	Browser asks not to store the response
`max-age=0`	Browser accepts only fresh responses
`max-stale=N`	Browser accepts responses up to N seconds stale
`only-if-cached`	Browser only wants cached response, no network request

Visualise any directive combination → Cache-Control Simulator