Cache-Control: public, max-age=31536000

public means the response is the same for all users (it does not contain any personalized information). max-age is in seconds from now. 31536000 = 60 * 60 * 24 * 365.

This is recommended for static assets that are never meant to change.

Cache-Control: private, max-age=60

private specifies that the response can be cached only for user who requested the resource, and can't be reused when other users request the same resource. This is appropriate for responses that depend on cookies.

Cache-Control: no-cache

The client will behave as if the response was not cached. This is appropriate for resources that can unpredictably change at any time, and which users must always see in the latest version.

Responses with no-cache will be slower (high latency) due to need to contact the server every time they're used.

However, to save bandwidth, the clients may still store such responses. Responses with no-cache won't be used to satisfy requests without contacting the server each time to check whether the cached response can be reused.

 Cache-control: no-store

Instructs clients no to cache the response in any way, and to forget it at soon as possible.

This directive was originally designed for sensitive data (today HTTPS should be used instead), but can be used to avoid polluting caches with responses that can't be reused.

It's appropriate only in specific cases where the response data is always different, e.g. an API endpoint that returns a large random number. Otherwise, no-cache and revalidation can be used to have a behavior of "uncacheable" response, while still being able to save some bandwidth.

• Expires — specifies date when the resource becomes stale. It relies on servers and clients having accurate clocks and supporting time zones correctly. Cache-control: max-age takes precedence over Expires, and is generally more reliable.

• post-check and pre-check directives are non-standard Internet Explorer extensions that enable use of stale responses. The standard alternative is stale-while-revalidate.

• Pragma: no-cache — obsoleted in 1999. Cache-control should be used instead.

The easiest method to bypass cache is to change the URL. This is used as a best practice when the URL contains a version or a checksum of the resource, e.g.

http://example.com/image.png?version=1
http://example.com/image.png?version=2

These two URLs will be cached separately, so even if …?version=1 was cached forever, a new copy could be immediately retrieved as …?version=2.

Please don't use random URLs to bypass caches. Use Cache-control: no-cache or Cache-control: no-store instead. If responses with random URLs are sent without the no-store directive, they will be unnecessarily stored in caches and push out more useful responses out of the cache, degrading performance of the entire cache.