logo hsb.horse
← Back to blog index

Blog

My Notes on `Cache-Control: max-age=3, must-revalidate`

A breakdown of the behavior behind a micro-caching Cache-Control setting. This article covers what `max-age=3` plus `must-revalidate` actually does, a timeline of how it behaves, and concrete use cases.

Published:
#http #cache #performance

Translations

German French Japanese Korean Portuguese

I looked into the header Cache-Control: max-age=3, must-revalidate, so I am writing down my understanding before I forget it.

This setting means: “use the cache for only a very short time, three seconds, and once it expires, always go back to the origin server for validation.” This approach is commonly called micro-caching. It is often used to protect a server from sudden traffic spikes while keeping content close to real time.

What each directive means

First, it helps to separate the meaning of each directive.

max-age=3

This tells browsers and CDN caches that the content is fresh for only three seconds. During that window, no request goes to the origin server. The response is returned immediately from cache.

must-revalidate

Once the cache expires after those three seconds, this directive forces caches to revalidate with the origin server and never serve stale content without explicit approval.

Without this directive, some caches or configurations may choose to return stale content when the origin is down. must-revalidate clearly forbids that behavior.

Timeline of how it behaves

It is easier to understand by simulating what happens when a user loads the page.

TimingUser actionBehaviorStatus code
First requestAccess the pageFetch from the origin server and render it200 OK
Immediately to within 3 secondsReload / navigateNo request to the origin. The browser or CDN serves the cached response200 (from cache)
After 3 secondsReload / navigateThe cache is now expired. The browser sends a conditional request to the originNetwork request occurs
→ No changeThe server answers that nothing changed. The old cache becomes valid again for another 3 seconds. No content body is downloaded304 Not Modified
→ ChangedThe server returns the updated content200 OK

The key part is the 304 Not Modified case after those three seconds. Since the content body does not need to be downloaded again, both bandwidth usage and latency stay low.

Benefits of this setting

This header works especially well when freshness matters but traffic volume is very high. There are three main benefits worth remembering.

A dramatic reduction in origin load

Imagine a site receiving 1,000 requests per second. With max-age=3, the origin may only need to handle roughly one validation window every three seconds, while the rest is absorbed by cache layers, especially when a CDN is involved.

Even a three-second cache can make a huge difference under heavy traffic.

Almost real-time updates

New content becomes visible after at most three seconds. That is not truly real time, but it is an acceptable tradeoff for many products.

Protection against showing stale information

Because of must-revalidate, clients cannot silently keep showing old data after the cache expires. If accuracy matters, this is important.

Concrete use cases

I tried to think through where this pattern actually fits.

Good fits

  • News homepages and listing pages: new articles should appear quickly, but a delay of a few seconds is acceptable, and these pages often get traffic spikes
  • Inventory status on an ecommerce site: a few seconds of delay is fine, but showing sold-out items as available is not. must-revalidate helps avoid stale stock information
  • Event or campaign landing pages: a large burst of traffic can come from social media right after publication. Micro-caching helps absorb the initial wave while still allowing fast updates
  • Dashboard summary views: not as time-sensitive as real-time charts, but still expected to reflect recent KPIs. If polling happens every three seconds or more, this header can work well
  • List-style API responses: adding this header to a listing API can let a CDN cache responses and reduce load on the origin

Bad fits

  • Static assets such as CSS, JS, and images: those usually change infrequently. File hashing with max-age=31536000,immutable is a better choice
  • Blog article detail pages: they usually are not updated often after publication, so a much longer max-age is usually fine
  • Real-time chat or WebSocket traffic: HTTP caching does not apply here, and even a three-second delay is too much
  • User-specific content: for pages like account dashboards, shared CDN caching is usually inappropriate. Combine other directives such as private where needed

Things to watch out for

There are a few easy-to-miss tradeoffs.

A request every three seconds after expiry

After each three-second window, a conditional request is guaranteed. Compared with longer max-age values, this makes network latency matter more. It is worth thinking about UX on slow networks.

Behavior while offline

Because of must-revalidate, if the network is unavailable or the origin is down, the client is likely to show an error even when an expired cache exists. In other words, this policy says: “if I cannot confirm freshness, fail rather than show stale content.”

If that is too strict, combine other directives such as stale-while-revalidate or stale-if-error.

Summary

Cache-Control: max-age=3, must-revalidate is an aggressive balance for situations where freshness matters but you still do not want to melt the origin server.

The term “micro-caching” sounds more dramatic than it is. In practice, it means caching for only a few seconds. Under heavy traffic, those few seconds can have an outsized effect.

Before you use it, make sure the target actually fits the pattern. If you apply it to static assets or rarely updated pages, you only add unnecessary revalidation requests.