What is the difference between private and no-store?

private allows the end-user’s browser to cache but not shared proxies; no-store asks for no caching anywhere.

Does immutable mean forever?

It is a hint: if the URL never changes content, validators are unnecessary. You still change URLs when content changes.

Cache-Control

An HTTP header that tells browsers and CDNs how long to cache a response.

Cache-Control combines directives: max-age, s-maxage (shared caches), private, no-store, immutable, stale-while-revalidate, and more. Browsers and CDNs each interpret the tuple; middleware that strips or overrides it changes production behavior even when origin looks correct.

Why developers care

Wrong caching means either angry users on stale dashboards or serious bugs where a CDN serves one user’s HTML to another after a private miss. APIs that return JSON with auth cookies must usually send no-store or private explicitly. Static hashed assets want long max-age with immutable so PSI and real users stop revalidating bytes that never change.

Example

# Fingerprinted build asset:
Cache-Control: public, max-age=31536000, immutable

# Authenticated API:
Cache-Control: private, no-store

Spec

RFC 7234

Audit caching with EdgeFix →