Difference between no-cache and must-revalidate
For what it's worth, the MDN page on HTTP validation directly addresses this (emphasis mine):
It is often stated that the combination of
max-age=0andmust-revalidatehas the same meaning asno-cache.Cache-Control: max-age=0, must-revalidate
max-age=0means that the response is immediately stale, andmust-revalidatemeans that it must not be reused without revalidation once it is stale — so in combination, the semantics seem to be the same asno-cache.However, that usage of
max-age=0is a remnant of the fact that many implementations prior to HTTP/1.1 were unable to handle theno-cachedirective — and so to deal with that limitation,max-age=0was used as a workaround.But now that HTTP/1.1-conformant servers are widely deployed, there's no reason to ever use that
max-age=0-and-must-revalidatecombination — you should instead just useno-cache.
For reference (for our own personal cache control, heh) that MDN page was last updated on June 1, 2022; and I pulled that quote on June 10, 2022 (archive June 8).
With Jeffrey Fox's interpretation about no-cache, i've tested under chrome 52.0.2743.116 m, the result shows that no-cache has the same behavior as must-revalidate, they all will NOT use local cache when server is unreachable, and, they all will use cache while tap browser's Back/Forward button when server is unreachable.
As above, i think max-age=0, must-revalidate is identical to no-cache, at least in implementation.
I believe that must-revalidate means :
Once the cache expires, refuse to return stale responses to the user even if they say that stale responses are acceptable.
Whereas no-cache implies :
must-revalidateplus the fact the response becomes stale right away.
If a response is cacheable for 10 seconds, then must-revalidate kicks in after 10 seconds, whereas no-cache implies must-revalidate after 0 seconds.
At least, that's my interpretation.
max-age=0, must-revalidate and no-cache aren't exactly identical. With must-revalidate, if the server doesn't respond to a revalidation request, the browser/proxy is supposed to return a 504 error. With no-cache, it would just show the cached content, which would be probably preferred by the user (better to have something stale than nothing at all). This is why must-revalidate is intended for critical transactions only.