Constno-cache, no-store, must-revalidate — Belt-and-suspenders: disables storage and forces
revalidation. Maximally prevents caching across all cache layers including legacy HTTP/1.0 proxies.
no-store — Response must never be stored. Bypasses all caches (browser, CDN, proxy).
Use for sensitive data (user dashboards, auth responses, banking pages).
private, max-age=<seconds> — Cacheable only by the end-user's browser, not by shared caches (CDNs, proxies).
Use for personalised content that must not be stored on shared infrastructure.
public, max-age=<seconds> — Cacheable by any cache (CDN, proxy, browser).
Optionally add stale-while-revalidate to serve stale content while revalidating in the background.
Handle-level enforcer. Matches pathname against rules and sets Cache-Control via setHeaders(). Only sets the header when a rule matches.
Usage: export const handle = enhance(handler, CacheControl.global( { match: /^/api//, directive: CacheControl.noStore }, { match: /^/blog//, directive: CacheControl.public(300) }, ));
Load-level policy. Sets Cache-Control for this specific route via setHeaders().
Usage: export const load = load(fn, CacheControl.local(CacheControl.public(300)));
no-cache— Response may be stored but must be revalidated with the origin before reuse. Useful when content changes frequently but you still want conditional GET support (ETags / Last-Modified).