Understanding caching is an important part of web development. From a performance point of view, you don’t want a client to be downloading the same large file again and again. But from a security point of view, you don’t want sensitive data, such as users’ personal details, cached by shared web proxies and served to other users.

There are many aspects to HTTP caching, but the one that’s always confused me the most is the Cache-Control header. There are so many options! When should I use each one? Why does no-cache not mean “disable caching”??!

To help myself remember what all the options do I made this little flowchart. Hopefully you’ll find it useful too. If you spot an error, please contribute on GitHub. And if somebody wants to make a prettier version, please do! (Just credit me).

PDF version