How do I write a Cache-Control header?

Combine directives with commas in one header value. A typical long cache for a fingerprinted asset is Cache-Control: public, max-age=31536000, immutable. For a page that must stay current use Cache-Control: no-cache, which still lets the browser store the copy but forces a revalidation with the origin before each reuse. This builder assembles the value for you and copies the full line so you do not have to remember the exact comma spacing.

What unit is max-age in?

max-age is always in seconds, a single integer with no unit suffix. One hour is max-age=3600, one day is max-age=86400, and one year is max-age=31536000. Because seconds get unreadable fast, the freshness fields here take days, hours, minutes and seconds and add them up, so you can type 365 days and read back 31536000 without doing the arithmetic yourself.

What is the difference between no-cache and no-store?

no-cache does allow storage. The browser keeps the response but must check with the origin (typically via an ETag or Last-Modified validator) before serving it again, so a 304 Not Modified saves the body transfer. no-store is stricter and forbids writing the response to any cache or disk at all, which is what you want for a bank balance or a one-time token. Reach for no-cache when freshness matters but you still want cheap revalidation, and no-store only for genuinely sensitive content.

When should I use immutable?

Use immutable on content-hashed static assets such as app.4f3a1c.js or a versioned image. It tells the browser that, while the response is fresh under its max-age, the body will never change, so the browser skips even the conditional revalidation request on a reload. Pair it with a long max-age like a year, because immutable without a max-age has nothing to apply to and this tool will flag that as a mistake.

How do I cache static assets for a year?

Set Cache-Control: public, max-age=31536000, immutable, which is the static-immutable preset here. This only works safely when the filename carries a content hash, so a new build produces a new URL and the old cached copy can never go stale against fresh markup. If your asset URLs are stable and unhashed, a year-long immutable cache will strand users on old code, so shorten the max-age or add a hash to the filename first.

What does stale-while-revalidate do?

stale-while-revalidate=N lets a cache serve a stale response for up to N seconds after max-age expires while it fetches a fresh copy in the background. The visitor gets an instant (slightly stale) page and the next visitor gets the refreshed one, so you trade a little staleness for zero blocking revalidation. It pairs naturally with a short max-age on API responses, which is exactly what the api-short preset sets up.

Cache fingerprinted assets for a year safely

Your bundler emits app.4f3a1c.js with a content hash in the name, so a new build always means a new URL. Pick the static-immutable preset and you get public, max-age=31536000, immutable in one click. Copy the Nginx add_header line straight into your assets location block. The old file can never go stale against new markup because its URL retires with the build, which is the whole reason a year-long immutable cache is safe here and dangerous on unhashed paths.

Keep an HTML page current without killing caching

A marketing landing page changes a few times a week and must never show a stale price. Reach for no-cache rather than no-store: the browser still keeps the copy, but revalidates with your origin before each reuse, so an unchanged page returns a cheap 304 instead of the full body. The html-no-cache preset wires this up, and the warning panel will stop you if you accidentally also tick immutable.

Tune a CDN edge cache separately from the browser

You want browsers to hold an API response for 60 seconds but let the CDN edge keep it for an hour to absorb traffic spikes. Set max-age=60 for the browser and s-maxage=3600 for shared caches in the same header. The builder shows both, copies the combined value, and the share link lets you paste the exact split into a pull request for review.

Lock down a sensitive endpoint

An account settings page or a signed download URL should never touch a disk cache or a shared proxy. The no-store preset emits a single no-store directive, and the conflict checker will flag it if you later add a max-age or a public directive that would contradict the intent. Copy the Apache Header set line into the protected directory's config and move on.

Cache-Control Builder for HTTP Caching Headers

Tick the directives, set the lifetime, copy a correct Cache-Control header plus Nginx and Apache lines

Runs locally
Category Developer & DevOps
Best for Formatting, validating, shrinking, or inspecting code-adjacent text.

Presets

Directives

publicAny cache (browser + CDN) may store itprivateOnly the end user browser may store itno-cacheStore, but revalidate every time before reuseno-storeNever write to any cache or diskmust-revalidateOnce stale, never serve without checking originimmutableBody never changes during max-age, skip revalidation

Freshness lifetimes

max-age

s-maxage (shared / CDN)

stale-while-revalidate

Cache-Control header

# No directives selected yet

Nginx

# No directives selected yet

Apache

# No directives selected yet

What this tool does

A free Cache-Control header builder for developers tuning HTTP caching. Tick directives like public, private, no-cache, no-store, must-revalidate and immutable, then set max-age, s-maxage and stale-while-revalidate using a friendly days / hours / minutes / seconds input that converts to seconds for you. The tool assembles the header value in conventional order and warns about contradictions the moment they appear, such as no-store paired with a max-age that gets silently ignored, or public and private fighting over the same response. Pick a preset for the common cases (static assets cached a year as immutable, HTML that always revalidates, a short API cache with background refresh) or hand-tune from scratch. Every change copies out as a raw header line, an Nginx add_header directive and an Apache Header set line. Runs entirely in your browser, nothing is uploaded, and the share link reopens your exact configuration.

Tool details

Input: Numbers; The page exposes text boxes, numeric controls, file pickers, or structured inputs depending on the tool.
Output: Live result + Copy; The result area focuses on usable output, with copy, download, or preview actions when supported.
Privacy: Browser-side processing; The main tool logic does not call an external API, so inputs normally stay in the current tab.
Save / share: Shareable URL state; Key settings are encoded in the URL so another person can reopen the same setup.
Performance budget: Initial JS <= 9 KB; No WASM budget is declared, keeping the tool quick to open on mobile.
Best fit: Developer & DevOps · Developer; Category and role tags drive related tools, internal links, and quick fit checks.

How to use

1. Input

Paste or drop your content into the tool panel.
2. Process

Click the button. All processing is local in your browser.
3. Copy / Download

Copy the result or download to disk in one click.

How Cache-Control Builder fits into your work

Use it in the small gaps between coding, reviewing, debugging, and shipping.

Developer jobs

Formatting, validating, shrinking, or inspecting code-adjacent text.
Preparing snippets for documentation, tickets, commits, or handoff.
Checking a small payload quickly without switching tools.

Developer checks

Run irreversible transforms like minify or obfuscate on a copy.
Keep secrets out of pasted snippets unless the tool explicitly stays local.
Use your normal tests or linter before shipping transformed code.

Good next steps

These links move the current task into a more complete workflow.

Real-world use cases

Cache fingerprinted assets for a year safely
Your bundler emits app.4f3a1c.js with a content hash in the name, so a new build always means a new URL. Pick the static-immutable preset and you get public, max-age=31536000, immutable in one click. Copy the Nginx add_header line straight into your assets location block. The old file can never go stale against new markup because its URL retires with the build, which is the whole reason a year-long immutable cache is safe here and dangerous on unhashed paths.
Keep an HTML page current without killing caching
A marketing landing page changes a few times a week and must never show a stale price. Reach for no-cache rather than no-store: the browser still keeps the copy, but revalidates with your origin before each reuse, so an unchanged page returns a cheap 304 instead of the full body. The html-no-cache preset wires this up, and the warning panel will stop you if you accidentally also tick immutable.
Tune a CDN edge cache separately from the browser
You want browsers to hold an API response for 60 seconds but let the CDN edge keep it for an hour to absorb traffic spikes. Set max-age=60 for the browser and s-maxage=3600 for shared caches in the same header. The builder shows both, copies the combined value, and the share link lets you paste the exact split into a pull request for review.
Lock down a sensitive endpoint
An account settings page or a signed download URL should never touch a disk cache or a shared proxy. The no-store preset emits a single no-store directive, and the conflict checker will flag it if you later add a max-age or a public directive that would contradict the intent. Copy the Apache Header set line into the protected directory's config and move on.

Common pitfalls

Pairing no-store with a max-age. no-store forbids any storage, so the max-age has nothing to keep fresh and is silently ignored. If you actually want revalidation rather than no storage, use no-cache instead, which keeps the copy and checks the origin before reuse.
Setting immutable without a max-age. immutable only promises the body will not change during the freshness window, so with no max-age there is no window to apply it to. Always give immutable a long max-age, and only on content-hashed URLs.
Treating max-age as minutes or hours. It is always seconds. Writing max-age=60 thinking it means a minute is correct, but max-age=3600 expecting an hour while reading it as minutes leaves you cached 60 times too long. Use the days / hours / minutes input here so the seconds are computed for you.

Privacy

Every part of this tool runs as plain JavaScript in your browser tab: the header assembly, the seconds conversion and the conflict checks. No directive, lifetime or generated header ever leaves the page, and nothing is logged. The one caveat is the share link, which encodes your selected options in the query string, so a link pasted into chat records that configuration in the recipient server's access log. The values here are caching policy, not secrets, so that is rarely sensitive, but use the copy button rather than the URL if you would rather not broadcast it.

FAQ

Tool combos

Folks in your role tend to reach for these alongside this tool.

Developer

Browse all tools for this role

Cache-Control Builder for HTTP Caching Headers

What this tool does

Tool details

How to use

1. Input

2. Process

3. Copy / Download

How Cache-Control Builder fits into your work

Developer jobs

Developer checks

Good next steps

Real-world use cases

Cache fingerprinted assets for a year safely

Keep an HTML page current without killing caching

Tune a CDN edge cache separately from the browser

Lock down a sensitive endpoint

Common pitfalls

Privacy

FAQ

Unit Converter

JSON Formatter & Validator

HTTP Security Header Auditor

HTTP Header Extractor

HTTP Status Code Explorer

Meta Tag Generator

AI Eval Planner

API Key Generator

ASCII Table Generator

ASCII Table Reference

awk + sed Cheatsheet

AWS CLI Cheatsheet