Should I Cache This HTTP Response?
Misconfigured caching is one of the most common sources of security bugs and stale data in web applications. This tree walks through the key questions about personalization, freshness, and revalidation to recommend the right Cache-Control directive for your response.
Decision Steps
Is this response personalized or does it contain sensitive user data (e.g., account page, API token, PII)?
Should the response be cached at all (even in the browser's private cache)?
Does the response change based on request headers like Accept-Language or Accept-Encoding?
Is the content essentially static (changes rarely, like a translated homepage)?
Is the response a static asset with a versioned URL (e.g., /static/app.abc123.js)?
Does the response data change frequently (e.g., live scores, stock prices, feeds)?
Can you tolerate slightly stale content in exchange for faster responses (background revalidation)?