235

From the RFC 2616

http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.1

no-cache

If the no-cache directive does not specify a field-name, then a cache MUST NOT use the response to satisfy a subsequent request without successful revalidation with the origin server. This allows an origin server to prevent caching even by caches that have been configured to return stale responses to client requests.

So it directs agents to revalidate all responses.

Compared this to

must-revalidate

When the must-revalidate directive is present in a response received by a cache, that cache MUST NOT use the entry after it becomes stale to respond to a subsequent request without first revalidating it with the origin server

So it directs agents to revalidate stale responses.

Particularly with regard to no-cache, is this how user agents actually, empirically treat this directive?

What's the point of no-cache if there's must-revalidate and max-age?

See this comment:

http://palpapers.plynt.com/issues/2008Jul/cache-control-attributes/

no-cache

Though this directive sounds like it is instructing the browser not to cache the page, there’s a subtle difference. The “no-cache” directive, according to the RFC, tells the browser that it should revalidate with the server before serving the page from the cache. Revalidation is a neat technique that lets the application conserve band-width. If the page the browser has cached has not changed, the server just signals that to the browser and the page is displayed from the cache. Hence, the browser (in theory, at least), stores the page in its cache, but displays it only after revalidating with the server. In practice, IE and Firefox have started treating the no-cache directive as if it instructs the browser not to even cache the page. We started observing this behavior about a year ago. We suspect that this change was prompted by the widespread (and incorrect) use of this directive to prevent caching.

Has anyone got anything more official on this?

Update

The must-revalidate directive ought to be used by servers if and only if failure to validate a request on the representation could result in incorrect operation, such as a silently unexecuted financial transaction.

That's something I've never taken to heart until now. The RFC is saying not to use must-revalidate lightly. The thing is, with web services, you have to take a negative view and assume the worst for your unknown client apps. Any stale resource has the potential to cause a problem.

And something else I've just considered, without Last-Modified or ETags, the browser can only fetch the whole resource again. However with ETags, I've observed that Chrome at least seems to revalidate on every request. Which makes both these directives moot or at least poorly named since they can't properly revalidate unless the request also includes other headers that then cause 'always revalidate' anyway.

I just want to make that last point clearer. By just setting must-revalidate but not including either an ETag or Last-Modified, the agent can only get the content again since it has nothing to send to the server to compare.

However, my empirical testing has shown that when ETag or modified header data is included in responses, the agents always revalidate anyway, regardless of the presence of the must-revalidate header.

So the point of must-revalidate is to force a 'bypass cache' when it goes stale, which can only happen when you have set a lifetime/age, thus if must-revalidate is set on a response with no age or other headers, it effectively becomes equivalent to no-cache since the response will be considered immediately stale.

-- So I'm going to finally mark Gili's answer!

Improve this question
4

6 Answers 6

Reset to default
250

must-revalidate means:

The browser may use stale cache entries if and only if the server confirms that they are still valid (using conditional requests).

Whereas no-cache means:

must-revalidate plus the fact that server responses becomes stale right away.

If a server response is cacheable for 10 seconds, then must-revalidate kicks in after 10 seconds, while no-cache kicks in immediately.

And finally, max-age: 0 should no longer be used.

My interpretation is based on RFC 7234 and Mozilla MDN. The latter reads:

It is often stated that the combination of max-age=0 and must-revalidate has the same meaning as no-cache.

Cache-Control: max-age=0, must-revalidate

max-age=0 means that the response is immediately stale, and must-revalidate means that it must not be reused without revalidation once it is stale — so, in combination, the semantics seem to be the same as no-cache. However, that usage of max-age=0 is a remnant of the fact that many implementations prior to HTTP/1.1 were unable to handle the no-cache directive — and so to deal with that limitation, max-age=0 was used as a workaround. But now that HTTP/1.1-conformant servers are widely deployed, there's no reason to ever use that max-age=0 and must-revalidate combination — you should instead just use no-cache.

Improve this answer
12
  • 3
    That's how I'm seeing it now. The interesting part is my last para, without an ETag or Last-Modified, the agent has nothing to use to validate what it has in cache and must download the whole payload again. So when the RFC says "revalidate" that probably means, re-fetch.
    – Luke Puplett
    Commented Nov 13, 2013 at 11:55
  • 66
    Which also means max-age=0, must-revalidate and no-cache are identical
    – Anshul
    Commented Apr 6, 2015 at 7:45
  • 7
    @Anshul, at first I thought you were right that 'max-age=0, must-revalidate and no-cache are identical', but see Jeffrey Fox's answer which seems to indicate that's not quite right.
    – Don Hatch
    Commented Jul 15, 2016 at 7:13
  • 4
    @Anshul No, must-revalidate and no-cache have different meaning for fresh responses: If a cached response is fresh (i.e, the response hasn't expired), must-revalidate will make the proxy serve it right away without revalidating with the server, whereas with no-cache the proxy must revalidate the cached response regardless of freshness. Source: "HTTP - The Definitive Guide", pages 182-183.
    – Matthias Braun
    Commented Jul 15, 2017 at 10:16
  • 11
    @MatthiasBraun Ah, I can see the source of confusion. May be I should have written no-cache and max-age=0, must-revalidate are identical
    – Anshul
    Commented Jul 27, 2017 at 11:33
28

max-age=0, must-revalidate and no-cache aren't exactly identical. With must-revalidate, if the server doesn't respond to a revalidation request, the browser/proxy is supposed to return a 504 error. With no-cache, it would just show the cached content, which would be probably preferred by the user (better to have something stale than nothing at all). This is why must-revalidate is intended for critical transactions only.

Improve this answer
5
  • 16
    Not sure about your no-cache interpretation. From the RFC 7234 The "no-cache" response directive indicates that the response MUST NOT be used to satisfy a subsequent request without successful validation on the origin server. This allows an origin server to prevent a cache from using it to satisfy a request without contacting it, even by caches that have been configured to send stale responses. This sounds similar to restrictions for must-revalidate
    – Anshul
    Commented Jul 21, 2016 at 11:46
  • 15
    Does Jeffrey have evidence that implementations behave how he has described?
    – OrangeDog
    Commented Aug 3, 2016 at 13:04
  • 1
    I think this answer is correct for proxy / lb servers. But indeed, browsers don't return a 504 in that case.
    – Yann Dìnendal
    Commented Jan 21, 2017 at 7:56
  • So must-validate means must-refresh
    – Simon_Weaver
    Commented Jan 14, 2019 at 22:46
  • 7
    developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control directly states "no-cache and max-age=0, must-revalidate indicates same meaning."
    – jess
    Commented Feb 3, 2021 at 21:49
23

With Jeffrey Fox's interpretation about no-cache, i've tested under chrome 52.0.2743.116 m, the result shows that no-cache has the same behavior as must-revalidate, they all will NOT use local cache when server is unreachable, and, they all will use cache while tap browser's Back/Forward button when server is unreachable. As above, i think max-age=0, must-revalidate is identical to no-cache, at least in implementation.

Improve this answer
2
  • 2
    Will Chrome use local cache when the server is available to revalidate? (i.e. "If-Modified-Since"). In both cases?
    – Rich
    Commented Aug 23, 2018 at 9:59
  • How do you test unreachable server? I think part of what makes cache-control header confusing to the uninitiated is that it is not clear how to test it.
    – bytrangle
    Commented May 12 at 4:34
4

For what it's worth, the MDN page on HTTP validation directly addresses this (emphasis mine):

It is often stated that the combination of max-age=0 and must-revalidate has the same meaning as no-cache.

Cache-Control: max-age=0, must-revalidate

max-age=0 means that the response is immediately stale, and must-revalidate means that it must not be reused without revalidation once it is stale — so in combination, the semantics seem to be the same as no-cache.

However, that usage of max-age=0 is a remnant of the fact that many implementations prior to HTTP/1.1 were unable to handle the no-cache directive — and so to deal with that limitation, max-age=0 was used as a workaround.

But now that HTTP/1.1-conformant servers are widely deployed, there's no reason to ever use that max-age=0-and-must-revalidate combination — you should instead just use no-cache.

For reference (for our own personal cache control, heh) that MDN page was last updated on June 1, 2022; and I pulled that quote on June 10, 2022 (archive June 8).

Improve this answer
2
  • Great explanation, and so typical for us devs to forget about the ancient compatibility reasons of old... in our SlickStack (LEMP) project, for dynamic content e.g. WordPress pages, we set nocache but enable server-side Nginx FastCGI caching, and for static files we set public, max-age=691200 which might also be overwritten by CDNs like Cloudflare.
    – Jesse Nickles
    Commented Sep 5, 2022 at 10:14
  • It says "there's no reason" to use one over the other, but doesn't directly say that they have identical behaviour. In particular, is there a difference as to whether clients will use "If-Modified-Since" requests? I think this text leaves that possibility open
    – Rich
    Commented Feb 13, 2023 at 13:52
0

Agreed with part of @Jeffrey Fox's answer:

max-age=0, must-revalidate and no-cache aren't exactly identical.

Not agreed with this part:

With no-cache, it would just show the cached content, which would be probably preferred by the user (better to have something stale than nothing at all).

What should implementations do when cache-control: no-cache revalidation failed is just not specified in the RFC document. It's all up to implementations. They may throw a 504 error like cache-control: must-revalidate or just serve a stale copy from cache.

Improve this answer
-2

I think there is a difference between max-age=0, must-revalidate and no-cache:

In the must-revalidate case the client is allowed to send a If-Modified-Since request and serve the response from cache if 304 Not Modified is returned.

In the no-cache case, the client must not cache the response, so should not use If-Modified-Since.

Improve this answer
4
  • 9
    But no-cache does not mean no-store - with no-cache, the resource can still be cached in the client; it just must be re-validated before being used?
    – Aron
    Commented Aug 13, 2018 at 16:49
  • 7
    You are conflating no-cache and no-store. no-cache means the resource MUST be revalidated. Revalidate includes the option to use conditional requests, such as If-None-Match and If-Modified-Since.
    – Jules Sam. Randolph
    Commented Aug 17, 2018 at 17:24
  • 1
    @JulesRandolph: you may be right. Do you have any tests / demos? All the conflicting evidence-free assertions on this q are frustrating. Even the accepted answer just says "At least, that's my interpretation". I might set up a test bed and post it here if I get some time.
    – Rich
    Commented Aug 23, 2018 at 9:58
  • I'm wrong was a bug on my end.
    – Michael Rogers
    Commented Feb 14, 2023 at 2:52

Not the answer you're looking for? Browse other questions tagged or ask your own question.