Every millisecond counts in web performance. Studies consistently show that even a 100ms delay in page load time can reduce conversion rates by several percent. At the heart of every high-performance web application lies a well-designed caching strategy — a multi-layered system that stores and serves data as close to the user as possible, minimizing redundant computation and network requests.
Caching is not a single technique but rather a hierarchy of complementary layers, each with its own strengths, trade-offs, and ideal use cases. From the browser’s local cache to globally distributed CDN nodes to your application’s in-memory data stores, understanding how these layers interact is essential for building fast, scalable web applications. If you’re working on web performance optimization, caching should be the first tool you reach for.
In this guide, we’ll walk through every major caching layer, explain when and how to use each one, provide practical code examples, and discuss cache invalidation — the notoriously difficult problem that makes caching both powerful and tricky.
The Caching Hierarchy: Understanding the Layers
Think of caching as a series of checkpoints between the user and your origin server. Each layer sits progressively closer to the user, and the closer the cache, the faster the response:
- Browser Cache — stored on the user’s device, zero network latency
- Service Worker Cache — programmable proxy in the browser, enables offline access
- CDN / Edge Cache — distributed global network, low-latency responses from nearby PoPs
- Reverse Proxy Cache — sits in front of your application servers (Nginx, Varnish)
- Application-Layer Cache — in-memory stores like Redis or Memcached within your infrastructure
- Database Query Cache — cached query results at the database level
The goal is to serve every request from the highest (closest to user) cache layer possible, falling through to lower layers only when necessary. Let’s examine each one in detail.
Layer 1: Browser Cache and HTTP Cache Headers
The browser cache is your first line of defense. When configured correctly, it eliminates network requests entirely for returning visitors. The browser stores responses locally and serves them directly from disk or memory based on HTTP cache headers.
Key HTTP Cache Headers
Cache-Control is the primary header for controlling caching behavior. It replaces the older Expires header and offers granular directives:
max-age=31536000— cache for one year (common for versioned static assets)no-cache— store in cache but revalidate with the server before every useno-store— never cache this response at all (sensitive data like banking pages)private— only the browser may cache this (not CDNs or proxies)public— any cache layer may store this responsestale-while-revalidate=60— serve stale content while fetching fresh data in the background
ETag and Last-Modified enable conditional requests. When a cached resource expires, the browser sends an If-None-Match or If-Modified-Since header. If the resource hasn’t changed, the server responds with 304 Not Modified — saving bandwidth by not re-transmitting the body.
Practical Header Strategy
The recommended approach is to use different strategies for different asset types. If you’re configuring Nginx for your web server, a common pattern looks like this:
- Versioned assets (JS, CSS with hash in filename):
Cache-Control: public, max-age=31536000, immutable - HTML pages:
Cache-Control: no-cache(always revalidate but allow caching) - API responses:
Cache-Control: private, max-age=0, must-revalidatewith ETag - Images and fonts:
Cache-Control: public, max-age=2592000(30 days)
The immutable directive tells the browser that the resource will never change at this URL — so it shouldn’t even bother revalidating. This is safe when filenames contain content hashes (e.g., app.3f2a1b.js).
Layer 2: Service Worker Cache — Programmable Power
Service Workers give you a programmable network proxy running in the browser. Unlike HTTP cache headers where the browser controls behavior, Service Workers let you write custom JavaScript to intercept every network request and decide how to handle it. This is a foundational technology behind Progressive Web Apps.
Common Caching Strategies
Several well-established patterns exist for Service Worker caching, each suited to different types of resources:
- Cache First — check cache, fall back to network. Ideal for static assets that rarely change.
- Network First — try network, fall back to cache. Best for API data where freshness matters.
- Stale While Revalidate — serve from cache immediately, update cache in the background. Great balance of speed and freshness.
- Network Only — bypass cache entirely. For non-cacheable requests like POST endpoints.
- Cache Only — serve exclusively from cache. For pre-cached app shell resources.
Here is a practical implementation of a Service Worker with multiple caching strategies applied to different route patterns:
// sw.js — Service Worker with multi-strategy caching
const CACHE_VERSION = 'v2.4.1';
const STATIC_CACHE = `static-${CACHE_VERSION}`;
const DYNAMIC_CACHE = `dynamic-${CACHE_VERSION}`;
const IMAGE_CACHE = `images-${CACHE_VERSION}`;
const STATIC_ASSETS = [
'/',
'/css/main.css',
'/js/app.js',
'/fonts/inter-var.woff2',
'/offline.html'
];
// Pre-cache critical assets during installation
self.addEventListener('install', (event) => {
event.waitUntil(
caches.open(STATIC_CACHE)
.then(cache => cache.addAll(STATIC_ASSETS))
.then(() => self.skipWaiting())
);
});
// Clean up old caches on activation
self.addEventListener('activate', (event) => {
event.waitUntil(
caches.keys().then(keys =>
Promise.all(
keys
.filter(key => key !== STATIC_CACHE
&& key !== DYNAMIC_CACHE
&& key !== IMAGE_CACHE)
.map(key => caches.delete(key))
)
).then(() => self.clients.claim())
);
});
// Route requests to appropriate strategy
self.addEventListener('fetch', (event) => {
const { request } = event;
const url = new URL(request.url);
// Skip non-GET requests
if (request.method !== 'GET') return;
// API calls → Network First with timeout
if (url.pathname.startsWith('/api/')) {
event.respondWith(networkFirst(request, DYNAMIC_CACHE, 3000));
return;
}
// Images → Cache First with size limit
if (request.destination === 'image') {
event.respondWith(cacheFirst(request, IMAGE_CACHE));
return;
}
// Static assets → Cache First
if (isStaticAsset(url.pathname)) {
event.respondWith(cacheFirst(request, STATIC_CACHE));
return;
}
// HTML pages → Stale While Revalidate
if (request.headers.get('Accept')?.includes('text/html')) {
event.respondWith(staleWhileRevalidate(request, DYNAMIC_CACHE));
return;
}
});
// Strategy: Cache First — fast, uses cached version
async function cacheFirst(request, cacheName) {
const cached = await caches.match(request);
if (cached) return cached;
try {
const response = await fetch(request);
if (response.ok) {
const cache = await caches.open(cacheName);
cache.put(request, response.clone());
}
return response;
} catch {
return caches.match('/offline.html');
}
}
// Strategy: Network First — fresh data with fallback
async function networkFirst(request, cacheName, timeout) {
const cache = await caches.open(cacheName);
try {
const controller = new AbortController();
const timeoutId = setTimeout(() => controller.abort(), timeout);
const response = await fetch(request, {
signal: controller.signal
});
clearTimeout(timeoutId);
if (response.ok) {
cache.put(request, response.clone());
}
return response;
} catch {
const cached = await cache.match(request);
return cached || new Response(
JSON.stringify({ error: 'Offline', cached: false }),
{ headers: { 'Content-Type': 'application/json' } }
);
}
}
// Strategy: Stale While Revalidate — fast + fresh
async function staleWhileRevalidate(request, cacheName) {
const cache = await caches.open(cacheName);
const cached = await cache.match(request);
const networkFetch = fetch(request).then(response => {
if (response.ok) {
cache.put(request, response.clone());
}
return response;
}).catch(() => null);
return cached || await networkFetch || caches.match('/offline.html');
}
function isStaticAsset(pathname) {
return /\.(css|js|woff2?|ttf|eot|svg)$/i.test(pathname);
}This implementation demonstrates how different resource types deserve different caching strategies. API data gets network-first treatment to stay fresh, while static assets use cache-first for instant loading.
Layer 3: CDN and Edge Caching
Content Delivery Networks cache your content at Points of Presence (PoPs) distributed around the globe. When a user in Tokyo requests a resource, it’s served from a nearby edge node rather than traveling to your origin server in Virginia. The result is dramatically reduced latency — often from 200-300ms down to 10-30ms.
Modern platforms like those compared in our Vercel vs Netlify vs Cloudflare Pages review provide CDN caching out of the box with zero configuration. But understanding how CDN caching works helps you optimize it further.
CDN Cache Control
CDNs respect your Cache-Control headers but also support additional configuration:
- CDN-Cache-Control — a header some CDNs support that overrides
Cache-Controlfor edge caching without affecting browser caching - Surrogate-Control — used by Fastly, Akamai, and other CDNs for edge-specific directives
- Vary header — tells the CDN to cache different versions based on request headers (e.g.,
Vary: Accept-Encoding, Accept-Language) - Cache tags / keys — allow targeted purging of related content without flushing the entire cache
Edge Computing and Caching
The line between CDN caching and computation is blurring. Edge computing platforms like Cloudflare Workers and Deno Deploy let you run code at the edge, combining the low latency of CDN delivery with dynamic logic. You can generate and cache personalized responses at edge nodes, dramatically improving Time to First Byte for dynamic content.
Cache Invalidation at the CDN
CDN purging strategies include:
- Path-based purge — invalidate specific URLs (e.g.,
/api/products/123) - Tag-based purge — invalidate all resources tagged with a specific label (e.g., all resources tagged
product-123) - Prefix purge — invalidate everything under a path prefix (e.g.,
/api/products/*) - Full purge — nuclear option, clear everything (avoid in production)
Tag-based purging is the most flexible approach. When you update a product, you purge its tag and every cached page or API response associated with that product gets refreshed — including listing pages, search results, and related product sections.
Layer 4: Reverse Proxy Cache
A reverse proxy like Nginx or Varnish sits in front of your application servers and caches full HTTP responses. It reduces load on your app by serving repeated requests from memory without ever hitting your application code.
Nginx’s proxy_cache directive creates a shared cache zone that can store responses based on configurable keys. Varnish Cache uses its own domain-specific language (VCL) for fine-grained caching logic including grace mode, which serves stale content while fetching fresh data from the backend — similar to stale-while-revalidate at the HTTP level.
Reverse proxy caching is particularly effective for server-side rendered pages where generating each HTML page requires database queries and template rendering. Caching the rendered output for even 60 seconds can reduce origin load by orders of magnitude under high traffic.
Layer 5: Application-Layer Caching with Redis
Application-layer caching stores computed results, database query outputs, and serialized objects in fast in-memory stores like Redis or Memcached. This is where you have the most control and where thoughtful caching architecture pays the biggest dividends. For a deep dive, see our Redis caching guide for web applications.
Redis is the most popular choice for application caching thanks to its rich data structures (strings, hashes, sorted sets, lists), built-in TTL support, and optional persistence. Here is a multi-layer cache middleware implementation in Express.js with Redis:
// middleware/cache.js — Multi-layer cache with Redis + in-memory
const Redis = require('ioredis');
const crypto = require('crypto');
const redis = new Redis({
host: process.env.REDIS_HOST || 'localhost',
port: 6379,
maxRetriesPerRequest: 3,
retryDelayOnFailover: 200,
enableReadyCheck: true,
lazyConnect: true
});
// L1: In-memory LRU cache for ultra-hot data
class LRUCache {
constructor(maxSize = 500) {
this.cache = new Map();
this.maxSize = maxSize;
}
get(key) {
if (!this.cache.has(key)) return null;
const item = this.cache.get(key);
if (Date.now() > item.expiry) {
this.cache.delete(key);
return null;
}
// Move to end (most recently used)
this.cache.delete(key);
this.cache.set(key, item);
return item.value;
}
set(key, value, ttlSeconds) {
if (this.cache.size >= this.maxSize) {
// Evict oldest entry (first in Map)
const firstKey = this.cache.keys().next().value;
this.cache.delete(firstKey);
}
this.cache.set(key, {
value,
expiry: Date.now() + (ttlSeconds * 1000)
});
}
invalidate(pattern) {
for (const key of this.cache.keys()) {
if (key.includes(pattern)) this.cache.delete(key);
}
}
}
const memoryCache = new LRUCache(1000);
// Generate a cache key from request properties
function generateCacheKey(req, options = {}) {
const parts = [
req.method,
req.originalUrl,
options.varyByUser ? req.user?.id : '',
options.varyByHeaders?.map(h => req.get(h)).join(':') || ''
];
const hash = crypto
.createHash('sha256')
.update(parts.join('|'))
.digest('hex')
.substring(0, 16);
return `cache:${req.method}:${req.path}:${hash}`;
}
// Main cache middleware factory
function cacheMiddleware(options = {}) {
const {
ttl = 300, // Redis TTL in seconds
memoryTTL = 30, // In-memory TTL in seconds
varyByUser = false, // Cache per user
varyByHeaders = [], // Cache varies by these headers
tags = [], // Cache tags for invalidation
condition = null // Function: should this response be cached?
} = options;
return async (req, res, next) => {
// Only cache GET requests
if (req.method !== 'GET') return next();
const cacheKey = generateCacheKey(req, {
varyByUser,
varyByHeaders
});
try {
// L1: Check in-memory cache first
const memResult = memoryCache.get(cacheKey);
if (memResult) {
res.set('X-Cache', 'HIT-MEMORY');
res.set('X-Cache-Key', cacheKey);
res.set('Content-Type', memResult.contentType);
return res.status(memResult.status).send(memResult.body);
}
// L2: Check Redis
const redisResult = await redis.get(cacheKey);
if (redisResult) {
const parsed = JSON.parse(redisResult);
// Promote to L1 memory cache
memoryCache.set(cacheKey, parsed, memoryTTL);
res.set('X-Cache', 'HIT-REDIS');
res.set('X-Cache-Key', cacheKey);
res.set('Content-Type', parsed.contentType);
return res.status(parsed.status).send(parsed.body);
}
} catch (err) {
console.warn('Cache read error:', err.message);
// On cache failure, proceed without cache
}
// Cache MISS — intercept response to store it
res.set('X-Cache', 'MISS');
const originalSend = res.send.bind(res);
res.send = function(body) {
// Check if this response should be cached
if (condition && !condition(req, res)) {
return originalSend(body);
}
// Only cache successful responses
if (res.statusCode >= 200 && res.statusCode < 400) {
const cacheData = {
body,
status: res.statusCode,
contentType: res.get('Content-Type') || 'application/json'
};
// Store in both layers (async, don't block response)
memoryCache.set(cacheKey, cacheData, memoryTTL);
const pipeline = redis.pipeline();
pipeline.setex(cacheKey, ttl, JSON.stringify(cacheData));
// Store cache tags for targeted invalidation
const allTags = [
...tags,
...(typeof tags === 'function' ? tags(req) : [])
];
for (const tag of allTags) {
pipeline.sadd(`tag:${tag}`, cacheKey);
pipeline.expire(`tag:${tag}`, ttl + 60);
}
pipeline.exec().catch(err =>
console.warn('Cache write error:', err.message)
);
}
return originalSend(body);
};
next();
};
}
// Invalidate cache by tags
async function invalidateByTag(...tagNames) {
for (const tag of tagNames) {
const keys = await redis.smembers(`tag:${tag}`);
if (keys.length > 0) {
await redis.del(...keys, `tag:${tag}`);
}
// Also clear matching in-memory entries
memoryCache.invalidate(tag);
}
}
// Invalidate by exact key pattern
async function invalidateByPattern(pattern) {
const stream = redis.scanStream({ match: pattern, count: 100 });
const keysToDelete = [];
for await (const keys of stream) {
keysToDelete.push(...keys);
}
if (keysToDelete.length > 0) {
await redis.del(...keysToDelete);
}
memoryCache.invalidate(pattern.replace(/\*/g, ''));
}
module.exports = {
cacheMiddleware,
invalidateByTag,
invalidateByPattern
};
// Usage in Express routes:
//
// const { cacheMiddleware, invalidateByTag } = require('./middleware/cache');
//
// // Cache product listings for 5 minutes
// app.get('/api/products', cacheMiddleware({
// ttl: 300,
// memoryTTL: 30,
// tags: ['products']
// }), productController.list);
//
// // Cache individual products, tag by ID
// app.get('/api/products/:id', cacheMiddleware({
// ttl: 600,
// memoryTTL: 60,
// tags: (req) => ['products', `product:${req.params.id}`]
// }), productController.getById);
//
// // On product update, invalidate related caches
// app.put('/api/products/:id', async (req, res) => {
// await productService.update(req.params.id, req.body);
// await invalidateByTag('products', `product:${req.params.id}`);
// res.json({ success: true });
// });This implementation uses a two-tier caching approach: an in-memory LRU cache for the hottest data (sub-millisecond access) backed by Redis for shared, persistent caching across multiple application instances. The tag-based invalidation system allows you to surgically clear related caches when data changes.
Cache Invalidation: The Hard Problem
Phil Karlton famously said there are only two hard things in computer science: cache invalidation and naming things. Cache invalidation is genuinely difficult because you must balance data freshness against performance, and stale data can cause real user-facing bugs.
Invalidation Strategies
Time-based expiration (TTL) is the simplest approach. Set a reasonable TTL and accept that data may be stale for up to that duration. This works well when slight staleness is acceptable — product listings, blog content, aggregated statistics.
Event-driven invalidation purges caches immediately when the underlying data changes. When a user updates their profile, you invalidate the cached profile data. This requires your write path to know about all caches that depend on the changed data — which can be complex in large systems.
Write-through caching updates the cache simultaneously with the primary data store on every write. The cache always has fresh data, but writes are slower since they must update multiple stores. This is common in well-designed API layers where data consistency is paramount.
Cache versioning avoids invalidation entirely by changing the cache key when data changes. Instead of deleting product:123, you increment a version counter and start reading from product:123:v42. Old entries expire naturally via TTL. This eliminates race conditions but requires a central version counter.
Common Pitfalls
- Cache stampede — when a popular cache entry expires, hundreds of concurrent requests all miss cache simultaneously and pound the database. Mitigate with lock-based recomputation (only one request fetches, others wait) or probabilistic early expiration.
- Stale data bugs — forgetting to invalidate a cache when data changes leads to users seeing outdated information. A cache registry that maps data entities to their cached representations helps prevent this.
- Over-caching — caching too aggressively can actually hurt performance if cache management overhead exceeds the cost of recomputation. Profile before caching.
- Cache poisoning — if an error response accidentally gets cached, all users see the error until the cache expires. Always validate responses before caching them.
Designing a Complete Caching Architecture
A production caching architecture combines multiple layers working together. Here is how a typical request flows through a well-designed system:
- Browser checks its local HTTP cache. If the resource is fresh, it serves it immediately with zero network cost.
- Service Worker intercepts the request if the browser cache misses. It may serve a cached version or apply stale-while-revalidate logic.
- CDN edge node receives the request if it reaches the network. If cached at this PoP, it responds in under 30ms.
- Reverse proxy (Nginx/Varnish) checks its cache for the full response. If hit, the application server never processes the request.
- Application server checks Redis or in-memory cache for computed data. If hit, it skips expensive database queries and computation.
- Database is the final fallback, queried only when all cache layers miss.
In practice, a well-tuned system with this architecture serves 95-99% of requests from cache, with only a tiny fraction reaching the database. For teams building complex web applications, tools like Taskee can help coordinate caching strategy decisions and track implementation progress across distributed teams.
Choosing the Right TTL
TTL selection depends on your data’s change frequency and your tolerance for staleness:
- Seconds (5-60s) — real-time dashboards, stock prices, live scores
- Minutes (1-15min) — API responses, product availability, search results
- Hours (1-24h) — blog content, user profiles, category listings
- Days to weeks — static assets, reference data, configuration
- Immutable — versioned assets with content hash in the filename
Monitoring and Measuring Cache Effectiveness
A caching system you cannot observe is a caching system you cannot optimize. Track these key metrics:
- Cache hit ratio — percentage of requests served from cache. Aim for above 90% for static content, 70-85% for dynamic content.
- Cache latency — how long cache lookups take. In-memory should be sub-millisecond, Redis under 5ms, CDN under 50ms.
- Origin offload — percentage of requests that never reach your origin server. Higher is better.
- Stale serve rate — how often stale data is served. Monitor to ensure it stays within acceptable bounds.
- Cache memory usage — track memory consumption to prevent eviction storms when caches fill up.
Add the X-Cache header to responses (as shown in the middleware example above) so you can easily verify cache behavior in browser DevTools. When planning web infrastructure projects with complex caching requirements, Toimi provides structured workflows for architectural planning that help development teams align on caching strategies from the start.
Advanced Techniques
Cache Warming
After a deployment or cache flush, your caches are empty and every request is a cache miss — causing a temporary spike in origin load. Cache warming pre-populates caches with known-popular resources immediately after deployment. Crawl your sitemap, replay recent access logs, or trigger background jobs that fetch and cache critical data paths.
Content-Aware Caching
Not all pages or API endpoints deserve the same caching strategy. Analyze your traffic patterns to identify what to cache aggressively versus what needs real-time freshness. An e-commerce product detail page with 10,000 daily views deserves aggressive caching with event-driven invalidation. A user’s private dashboard with 10 views per day may not need caching at all.
Cache Sharding
For large-scale systems, a single Redis instance may not provide enough memory or throughput. Cache sharding distributes keys across multiple Redis instances using consistent hashing. This provides horizontal scalability while maintaining cache locality — related keys can be co-located on the same shard for efficient multi-key operations.
FAQ
What is the difference between no-cache and no-store in Cache-Control?
no-cache does not mean “don’t cache.” It means the browser may store the response but must revalidate with the server before using it. The server can respond with 304 Not Modified if the content hasn’t changed, saving bandwidth. no-store, on the other hand, tells the browser to never store the response at all — it must be fetched fresh every time. Use no-store for sensitive data like banking pages or personal health records. Use no-cache for content that changes frequently but benefits from conditional caching via ETag.
How do I prevent cache stampede when a popular cache key expires?
Cache stampede (also called thundering herd) occurs when many concurrent requests miss cache simultaneously and all hit the database. Three main solutions exist. First, use a distributed lock (e.g., Redis SETNX) so only one request recomputes the value while others wait. Second, implement probabilistic early expiration where each request has a small chance of refreshing the cache before it actually expires, spreading out recomputation. Third, use stale-while-revalidate at the application level — serve the stale value while one background process fetches the fresh value. The lock approach is most common and effective for most applications.
When should I use Redis vs Memcached for application-layer caching?
Redis is the better choice for most modern applications. It supports rich data structures (hashes, sorted sets, lists, streams), built-in TTL on individual keys, optional persistence, pub/sub for cache invalidation notifications, and Lua scripting for atomic operations. Memcached is simpler and can be slightly faster for basic key-value lookups with multi-threaded architecture. Choose Memcached if you need a simple, volatile key-value cache and want to maximize throughput for basic GET/SET operations. Choose Redis for everything else — especially when you need data structures, persistence, or cross-instance cache invalidation.
How does CDN caching work with dynamic or personalized content?
Traditional CDNs cache static content effectively but struggle with personalized responses. Modern approaches solve this in several ways. First, you can cache the base page at the CDN and personalize client-side using JavaScript and API calls — this way the HTML shell is cached globally while user-specific data loads asynchronously. Second, edge computing platforms like Cloudflare Workers can run personalization logic at the edge, generating different cached versions per user segment. Third, using the Vary header tells the CDN to maintain separate cached versions based on specific request headers like Accept-Language or a custom user-segment header. The key is to identify which parts of your response are shared versus personalized and cache them separately.
What is the ideal cache hit ratio and how do I improve it?
Target cache hit ratios depend on the content type: 95%+ for static assets (CSS, JS, images), 85-95% for CDN-cached pages, and 70-85% for application-layer caching of API responses. To improve your hit ratio, first analyze cache misses to understand why they occur — expired TTL, cache key fragmentation, or cold cache. Increase TTLs where staleness is acceptable. Normalize cache keys to avoid storing duplicate entries (e.g., sort query parameters). Implement cache warming after deployments. Reduce cache key cardinality by caching shared data separately from per-user data. Monitor your eviction rate — if entries are being evicted before they expire, you need more cache memory.
Conclusion
Caching is the single most impactful technique for improving web application performance and scalability. A well-designed caching strategy doesn’t just make your application faster — it fundamentally changes its architecture, turning expensive per-request computations into cheap cache lookups and reducing infrastructure costs dramatically.
Start by setting appropriate HTTP cache headers for your static assets — this alone can eliminate the majority of redundant network requests. Add a CDN to serve content from edge locations close to your users. Implement application-layer caching with Redis for your most expensive database queries and computations. And always, always monitor your cache hit ratios and invalidation patterns to ensure your caching strategy is actually working as intended.
The key principle to remember: cache as aggressively as your data’s freshness requirements allow, implement reliable invalidation mechanisms, and measure everything. With these foundations in place, you can serve millions of users without breaking a sweat — or the bank.
