HTTP Cache-Control Header Builder | Compose Directives with Conflict Diagnostics
Build a Cache-Control response header with radio buttons and checkboxes. Pick public or private cacheability, set max-age, s-maxage and stale-while-revalidate in seconds, toggle flags like must-revalidate or immutable, and the tool outputs a single header line such as Cache-Control: private, max-age=3600 plus a plain-English explanation. It also flags five common contradictory combinations, like pairing no-store with max-age.
💡 About this tool
If you have ever stared at an Nginx, Cloudflare or S3 config wondering whether your Cache-Control line actually does what you think, you are not alone. The directive names are easy to remember, but the interactions are where bugs hide. no-cache and no-store look almost identical yet behave in opposite ways, and figuring out which one wins when you also set max-age usually means another trip to MDN.
This builder assembles the header for you and, just as importantly, calls out the combinations that cancel each other out. Set no-store and then type a max-age value, and it tells you that no-store wins and nothing gets stored. Check immutable while max-age is zero, and it warns that the flag has no effect. Treat it as a scratchpad: tweak the directives, sanity-check the result, then paste a header you trust into your real config.
🧐 Frequently Asked Questions
Q. What is the difference between no-cache and no-store? no-cache still stores the response but must revalidate it with the origin before reuse. no-store forbids storing the response at all. Use no-store for sensitive data you never want written to a cache, and no-cache when you want freshness guaranteed but still allow conditional reuse.
Q. When should I use s-maxage instead of max-age? max-age applies to every cache, including the browser. s-maxage applies only to shared caches such as CDNs and proxies, and it overrides max-age there. A common pattern is a short max-age for browsers and a longer s-maxage so your CDN absorbs more traffic.
Q. What happens to my CDN if I choose private? private means the response may be stored only in a private cache like the browser; CDNs and proxies will not keep a copy. Use it for per-user pages. Switch to public when you do want shared caches to store the response.
Q. Is there an upper limit on the seconds? max-age, s-maxage, stale-while-revalidate and stale-if-error all accept integers from 0 to 31536000 seconds (one year). Anything larger is clamped to 31536000.
Q. What is immutable for? immutable tells the browser the file will not change during its freshness lifetime, so it can skip the conditional revalidation request on reload. It pairs well with hashed asset filenames and a long max-age, where the URL itself changes whenever the content does.
📚 Why Cache-Control Trips People Up
A classic gotcha is assuming no-cache means "do not cache." It does not. The response is still stored locally; the browser simply revalidates with the origin (via ETag or Last-Modified) before serving it. The directive that truly prevents storage is no-store. Mixing them up is one of the most upvoted "why is my page still cached" answers on Stack Overflow.
The other frequent surprise is the split between browser and shared caches. Because s-maxage only affects shared caches, you can ship a long CDN lifetime while keeping browsers on a short leash, which is exactly how many static-site setups combine immutable hashed bundles with a frequently revalidated HTML shell. RFC 9111 codifies all of this, but having the contradictions surfaced as you build saves a round trip to the spec.