Cache-Control: public vs private Directive

public vs private

The public and private directives control who is allowed to cache a response. They determine whether shared caches (CDNs, reverse proxies) can store the response alongside the end user's browser.

public

Cache-Control: public, max-age=86400

The public directive explicitly allows any cache — browser, CDN, proxy, gateway — to store the response. This is the right choice for content that is identical for all users.

Use public for:

• Static assets (CSS, JavaScript, images, fonts)
• Public API endpoints that return the same data for everyone
• Marketing pages and blog posts

private

Cache-Control: private, max-age=300

The private directive restricts caching to the end user's browser only. Shared caches (CDNs, corporate proxies) must not store the response.

Use private for:

• Personalized pages (dashboard, profile, account settings)
• Authenticated API responses containing user-specific data
• Responses that include session tokens or CSRF tokens
• Shopping cart contents

Default Behavior

If neither public nor private is specified:

• Responses without an Authorization header are typically treated as cacheable by shared caches
• Responses with an Authorization header are treated as private unless public is explicitly set

Common Mistake

A frequent error is setting public on authenticated API responses. This can cause CDNs to serve User A's private data to User B. Always use private when the response varies per user.