no-cache: validate cache as the latest one before using it.
This means that a cache should not serve a stored copy of the response without validating its freshness with the server. The response can be stored in a cache, but it must check with the server before serving it. This does not mean that the response should not be stored in cache; rather, that it should not be served from cache without checking its validity.
In the response, it contains 'ETag' in the response header which respensent the version of cache.
Using the ETag to validate wheather the cache is latest or not.
Server retrun 304 if the cache is latest
Using new cache if the ETag is out of date.
must-revalidate: works together with max-age, after timeout, must revalidate again
This means that once a resource becomes stale, caches must not use their stale copy without successful validation on the origin server. In other words, if the cached version is past its expiration time, the cache must check with the server if the resource has been updated. If the server has no newer version, the cached version can still be used.
Notice that:
If ETag was updated on server, but not over the max-age, which means cache is still Fresh, in this case, we can still use the cache; Only after expired time, we revalidate the cache.
no-store: don't use cache
This is an instruction to the cache system to not store a version of the resource for future use. Essentially, the response must be fetched from the server every time the client asks for it.
private: prevent caches on shared cache
This means that the response message is intended for a single user (normally the one that made the request) and must not be stored by shared caches. It's used when the response is user-specific and not the same for all users.
stale-while-revalidate: use cache first, while do revalidation
This is a more recent addition to the caching directives, and is not universally supported. When a cache uses this directive, it can serve a stale (i.e., past its expiration date) response while it revalidates it in the background, thus improving performance and response time to the client.
It also get a timing, if expired, then do the fetch again before use it, like must-revalidate.
