HTTP Cache-Control header max-age vs max-age, must-revalidate

Question

I want to find difference between max-age alone and max-age with must-revalidate in Cache-Control header.

I did verification on chrome with both of these.

1. max-age=10 - It means that the response is no longer valid after 10 seconds and client has to reach to server to get the fresh result and should not serve the cached response or clear the response after 10 seconds.

2. max-age=10, must-revalidate - Here must-revalidate defines the same thing, but there can be 304 response from server and browser can use the cached data even after 10 seconds.

Assuming, difference with scenario 1, browser has to clear the cache and should expect fresh response from server, while in scenario 2 browser can keep the cached response and expect 304 status or fresh response.

But, practically in chrome above statements are not true, even if we respond with 403 chrome still serves the response from cache and by that mean there is no difference. Below is the code sample for rest api.

var ccpublicWrongResp =  3;
var ccpublicWrongRespCount  = 0;
app.get('/ccpublic', function (req, res) {
  console.log(req.url + " - " + new Date().getSeconds());
  ccpublicWrongRespCount++;
   if(ccpublicWrongRespCount >= ccpublicWrongResp){
    console.log("Sending 304");
    res.statusCode = (304);
    res.send();
  }else{
    res.set('Cache-Control', 'public, max-age=12');
    res.send("Please check after 12 seconds ");
  }  
});

var j = 1;
app.get('/mustrevalidate', function (req, res) {
  console.log(req.url + " - " + new Date().getSeconds());
  j++;
  ccpublicWrongRespCount++;
  if(ccpublicWrongRespCount >= ccpublicWrongResp){
    console.log("Sending 304");
    res.statusCode = (304);
    res.send();
  }else{
    res.set('Cache-Control', 'public, max-age=12, must-revalidate');
    res.send(j + " with must-revalidate");
  }
});

Answer 1

The first thing to understand is that caches will attempt to revalidate a stale resource (rather than get a full response) whenever possible. That's why you see the same behavior with your two tests.

Next, understand that caches are allowed to serve stale responses in some cases; in particular, if they can't connect to the origin server.

Now we can see the purpose of must-revalidate. It just means that the cache should never serve stale responses.

The must-revalidate response directive indicates that once it has become stale, a cache MUST NOT use the response to satisfy subsequent requests without successful validation on the origin server.

Put differently, you were interpreting the directive to mean "Must revalidate instead of getting a full response", but it actually means "Must revalidate instead of serving stale content, even in those situations where the cache would otherwise be able to do so."

Note that in most cases the use of this header is inappropriate:

The must-revalidate directive ought to be used by servers if and only if failure to validate a request on the representation could result in incorrect operation.