JSON Caching Strategies: HTTP Headers, Redis, CDN, and Cache Invalidation

Q: What HTTP headers should I use to cache JSON API responses?

The primary header is Cache-Control. For public JSON APIs: Cache-Control: public, max-age=300, stale-while-revalidate=60 — allows CDNs and browser caches to store the response for 5 minutes, then serve stale while fetching fresh in the background. For user-specific data: Cache-Control: private, max-age=60 — only the browser (not CDNs) may cache. For real-time data: Cache-Control: no-store or no-cache (with ETag for conditional requests). Always set Content-Type: application/json and Vary: Accept-Encoding if you serve compressed responses. Set ETag to enable conditional GET requests (304 Not Modified), saving bandwidth even when you can't use long TTLs.

Q: How does ETag work for JSON API caching?

An ETag is a hash of the response body. The server includes ETag: "abc123" in the first response. On subsequent requests, the client sends If-None-Match: "abc123". If the resource hasn't changed, the server returns 304 Not Modified with no body — saving bandwidth. If it changed, the server returns 200 with the new body and a new ETag. Generating ETags: hash the serialized JSON (md5, sha256, or crc32 of JSON.stringify(data)). Strong ETags guarantee byte-for-byte identity; weak ETags (W/"abc123") allow semantic equivalence. ETags are most useful when you can't use long max-age values but still want to avoid redundant data transfer — for example, a list resource that updates infrequently but at unpredictable times.

Q: How do I cache JSON responses in Redis?

The standard pattern: check Redis for a cached value before hitting the database or downstream service; if missing, fetch, store in Redis with a TTL, and return. In Node.js with ioredis: const cached = await redis.get("user:123"); if (cached) return JSON.parse(cached); const user = await db.findUser(123); await redis.setex("user:123", 300, JSON.stringify(user)); return user. Choose cache keys that reflect the cache scope: entity type + ID + (optional) version or tenant. Use TTL values that match how often the data changes. For JSON with complex types (Dates, BigInts), use a custom serializer — the default JSON.parse/stringify won't handle them. RedisJSON (ReJSON module) stores native JSON and supports JSONPath queries without full serialize/deserialize.

Q: What is stale-while-revalidate and when should I use it?

stale-while-revalidate is a Cache-Control extension directive: Cache-Control: max-age=60, stale-while-revalidate=300. Within the 60-second max-age window, responses are served fresh from cache. In the 60–360-second window, responses are served from cache immediately (even though they're stale) while a background request updates the cache. After 360 seconds, the cache waits for a fresh response before serving. This pattern trades consistency for latency: users always get a fast cached response, but it might be up to stale-while-revalidate seconds old. It's ideal for public content that changes occasionally (news feeds, product catalogs, public APIs) but poor for financial data, inventory, or anything where a few minutes of staleness is unacceptable.

Q: How do I implement cache invalidation for JSON API responses?

Cache invalidation is famously difficult. The main strategies are: (1) TTL-based — let entries expire naturally; simple but potentially serves stale data until TTL expires. (2) Event-driven invalidation — when data changes (user updated, order placed), explicitly delete or update the cache entry: await redis.del("user:123"). (3) Cache tags / surrogate keys — tag cache entries with entity IDs; on update, delete all entries with that tag. Fastly, Cloudflare, and Varnish support surrogate key invalidation. (4) Versioned cache keys — include a version number or timestamp in the key: "user:123:v2"; increment the version on change. The "old" key just expires naturally. (5) Write-through cache — update the cache at the same time as the database in a transaction to keep them in sync.

Q: Should I cache JSON API responses at the CDN level?

CDN caching is highly effective for public JSON APIs with moderate staleness tolerance. Set Cache-Control: public, max-age=N, s-maxage=N (s-maxage overrides max-age for shared/CDN caches). CDNs cache at edge nodes geographically close to users, reducing latency from 200ms to 5–20ms for cache hits. For per-user content, CDN caching is inappropriate — use private or no-store. The Vary: Authorization header prevents CDNs from serving one user's cached response to another, but it also effectively disables CDN caching (each Authorization value gets its own cache entry). For authenticated APIs, cache at the application/Redis layer instead. Use CDN cache purging APIs (Cloudflare, Fastly) to invalidate entries on content changes.

Q: What is the difference between no-cache and no-store in HTTP?

no-store means "never store this response anywhere" — no disk, no memory, no CDN cache. Use it for highly sensitive data. no-cache means "you may store the response, but must revalidate with the server before serving from cache" — it combines well with ETag or Last-Modified: the cached response can be stored, but a conditional request (If-None-Match or If-Modified-Since) must be made each time. If the server returns 304 Not Modified, the cached version is served; if 200, the new body replaces the cached version. Use no-cache for data that changes frequently but where you still want to avoid re-downloading unchanged content. Use no-store for auth tokens, payment data, and personal health information.

Q: How do I cache JSON in the browser with the Cache API?

The Cache API (Service Worker Cache) lets you cache fetch() responses including JSON API responses. In a Service Worker: self.addEventListener("fetch", event => { event.respondWith( caches.open("api-v1").then(cache => cache.match(event.request).then(cached => cached || fetch(event.request).then(res => { cache.put(event.request, res.clone()); return res; }) ) ) ); }). This implements a cache-first strategy. For network-first with fallback: try the network first; if offline, serve from cache. The Cache API stores full Response objects, so JSON.stringify/parse is handled automatically. Combine with Cache-Control headers: the browser's HTTP cache and the Service Worker Cache can coexist, with the Service Worker intercepting requests before the HTTP cache.

Written and reviewed by the Jsonic editorial team — every guide is verified against the official spec or runtime before publication.

Last updated: May 19, 2026

Effective caching is the single highest-leverage performance improvement for JSON APIs. A well-cached API response serves in under 5ms instead of 200ms, handles 100× more traffic, and reduces database load dramatically. This guide covers the full stack: HTTP cache headers, Redis application caching, CDN edge caching, and cache invalidation strategies.

HTTP Cache-Control Headers for JSON APIs

// Express.js — Cache-Control header patterns

// Public JSON data (product catalog, public profiles)
res.set({
  'Cache-Control': 'public, max-age=300, stale-while-revalidate=60',
  'Content-Type':  'application/json',
  'Vary':          'Accept-Encoding',
})

// User-specific data (dashboard, account info)
res.set({
  'Cache-Control': 'private, max-age=60',
  'Content-Type':  'application/json',
})

// Real-time data (stock prices, live inventory)
res.set({
  'Cache-Control': 'no-store',
  'Content-Type':  'application/json',
})

// Frequently checked but rarely changed (config, feature flags)
res.set({
  'Cache-Control': 'public, max-age=0, must-revalidate',
  'ETag':          etag,           // hash of response body
  'Last-Modified': lastModified,   // ISO 8601 string
  'Content-Type':  'application/json',
})

ETag Implementation

ETag enables conditional GET: the client sends the cached ETag; the server returns 304 Not Modified (no body) if unchanged.

import crypto from 'crypto'

function generateETag(data: unknown): string {
  const hash = crypto
    .createHash('md5')
    .update(JSON.stringify(data))
    .digest('hex')
  return '"' + hash + '"'  // ETags must be quoted strings
}

// Express middleware
app.get('/api/products', async (req, res) => {
  const products = await db.getProducts()
  const etag = generateETag(products)

  // Check conditional request
  if (req.headers['if-none-match'] === etag) {
    return res.status(304).end()  // Not Modified — no body sent
  }

  res
    .set('ETag', etag)
    .set('Cache-Control', 'public, max-age=0, must-revalidate')
    .json(products)
})

Redis Application Cache

import { Redis } from 'ioredis'
const redis = new Redis(process.env.REDIS_URL)

const CACHE_TTL = 300  // 5 minutes

// Cache-aside (lazy loading) pattern
async function getUser(userId: string) {
  const key = `user:${userId}`

  // 1. Check cache
  const cached = await redis.get(key)
  if (cached) {
    return JSON.parse(cached)  // cache hit
  }

  // 2. Cache miss — fetch from DB
  const user = await db.findUser(userId)
  if (!user) return null

  // 3. Store in cache with TTL
  await redis.setex(key, CACHE_TTL, JSON.stringify(user))

  return user
}

// Invalidate on update
async function updateUser(userId: string, data: Partial<User>) {
  const updated = await db.updateUser(userId, data)
  await redis.del(`user:${userId}`)  // bust the cache
  return updated
}

// Cache list queries with composite key
async function getProductsByCategory(categoryId: string, page: number) {
  const key = `products:cat:${categoryId}:page:${page}`
  const cached = await redis.get(key)
  if (cached) return JSON.parse(cached)

  const products = await db.getProducts({ categoryId, page })
  await redis.setex(key, 60, JSON.stringify(products))  // shorter TTL for lists
  return products
}

Cache Key Design

Pattern	Key example	Use when
Entity + ID	`user:123`	Single resource GET
Query fingerprint	`products:cat:5:page:2`	Filtered/paginated lists
URL hash	`cache:md5(path+query)`	Arbitrary API responses
Tenant-scoped	`tenant:acme:user:123`	Multi-tenant apps
Versioned	`v2:products:123`	Schema/API versioning

CDN Caching for JSON APIs

// Set s-maxage for CDN-specific TTL (overrides max-age for CDNs)
res.set({
  'Cache-Control': 'public, max-age=60, s-maxage=300',
  // CDNs cache for 300s; browsers cache for 60s
})

// Cloudflare: add Cache-Tag for surrogate-key invalidation
res.set({
  'Cache-Control': 'public, max-age=300',
  'Cache-Tag':     'products product:123 category:electronics',
})

// Purge by tag via Cloudflare API when product 123 changes:
// POST https://api.cloudflare.com/client/v4/zones/{zoneId}/cache/tags
// { "tags": ["product:123"] }

// Fastly: Surrogate-Key header for tag-based purging
res.set({
  'Surrogate-Key':     'products product-123',
  'Surrogate-Control': 'max-age=300',
})

Cache Invalidation Patterns

// 1. Event-driven invalidation (immediate consistency)
async function updateProduct(id: string, data: Partial<Product>) {
  const updated = await db.updateProduct(id, data)

  // Delete all affected cache entries
  await redis.del(`product:${id}`)
  await redis.del(`products:featured`)  // featured list may include this product

  // Publish event for other services to invalidate their caches
  await pubsub.publish('product.updated', { id, ...data })

  return updated
}

// 2. Versioned keys — no explicit deletion needed
let productVersion = await redis.get('products:version') ?? '1'

async function getProductsV(version: string) {
  const key = `products:v:${version}`
  const cached = await redis.get(key)
  if (cached) return JSON.parse(cached)
  const products = await db.getProducts()
  await redis.setex(key, 3600, JSON.stringify(products))
  return products
}

async function invalidateProductCache() {
  const newVersion = Date.now().toString()
  await redis.set('products:version', newVersion)
  // Old versioned keys expire naturally after 1 hour
}

// 3. Write-through cache (always consistent)
async function setUser(userId: string, user: User) {
  const [dbResult] = await Promise.all([
    db.saveUser(userId, user),
    redis.setex(`user:${userId}`, 300, JSON.stringify(user)),
  ])
  return dbResult
}

stale-while-revalidate Pattern

// Server: set stale-while-revalidate for background refresh
res.set('Cache-Control', 'public, max-age=60, stale-while-revalidate=300')
// Clients/CDNs serve stale (up to 5 min old) while fetching fresh in background

// Application-level SWR with Redis
async function getWithSWR(key: string, fetchFn: () => Promise<unknown>, ttl: number) {
  const cached = await redis.get(key)

  if (cached) {
    const { data, expiresAt } = JSON.parse(cached)
    const isStale = Date.now() > expiresAt

    if (isStale) {
      // Return stale immediately, refresh in background
      fetchFn()
        .then(fresh => redis.setex(key, ttl, JSON.stringify({
          data: fresh,
          expiresAt: Date.now() + ttl * 1000,
        })))
        .catch(console.error)
    }

    return data  // always return cached data immediately
  }

  // No cache — must wait for fresh data
  const fresh = await fetchFn()
  await redis.setex(key, ttl, JSON.stringify({
    data: fresh,
    expiresAt: Date.now() + ttl * 1000,
  }))
  return fresh
}

Caching Decision Guide

Data type	HTTP Cache-Control	Redis TTL	CDN
Static config/enums	`public, max-age=86400`	1 hour+	Yes, aggressive
Product catalog	`public, max-age=300, swr=60`	5 min	Yes + purge on change
User profile	`private, max-age=60`	5 min	No
User-specific lists	`private, no-store`	2–5 min	No
Search results	`private, max-age=30`	1 min	No
Financial / payments	`no-store`	None	Never

FAQ

What HTTP headers should I use to cache JSON API responses?

For public APIs: Cache-Control: public, max-age=300, stale-while-revalidate=60. For private/user-specific: Cache-Control: private, max-age=60. For real-time: Cache-Control: no-store. Always set Content-Type: application/json and include ETag for resources that support conditional requests. The Vary: Accept-Encoding header prevents serving the wrong (compressed/uncompressed) variant from cache when you support gzip.

How does ETag work for JSON API caching?

The server sends ETag: "abc123" (a hash of the response body) with each response. The client caches the response and ETag. On the next request, the client sends If-None-Match: "abc123". If the resource is unchanged, the server returns 304 Not Modified with no body — saving bandwidth. If changed, the server returns 200 with the new body and a new ETag. Generate ETags by hashing JSON.stringify(data) with MD5 or SHA-256. ETags are most valuable when data changes unpredictably but not constantly — they save bandwidth without requiring you to predict TTL values.

How do I cache JSON responses in Redis?

The cache-aside pattern: check Redis first (GET key), on miss fetch from database, store the result (SETEX key ttl value), return the data. Use JSON.stringify before storing and JSON.parse after retrieving. Design cache keys to reflect query scope: entity:id for single resources, entity:filter1:filter2:page for parameterized lists. Invalidate by deleting relevant keys on write. Keep TTLs short for frequently mutated data, longer for reference data.

What is stale-while-revalidate and when should I use it?

stale-while-revalidate allows serving a cached response past its max-age while asynchronously fetching a fresh copy. For example, max-age=60, stale-while-revalidate=300 means serve cached data for up to 6 minutes (1 + 5) without blocking, as long as a background revalidation is triggered after the first minute. Use it for content where a few extra minutes of staleness is acceptable in exchange for always-fast responses: news feeds, product listings, public profiles. Avoid it for inventory counts, pricing, and financial data where staleness has business consequences.

How do I implement cache invalidation for JSON API responses?

The four main strategies: (1) TTL expiry — simple, eventual consistency; (2) event-driven delete — on write, immediately delete affected cache keys; (3) surrogate keys / cache tags — tag entries with entity IDs, purge all entries with a tag via CDN API on change; (4) versioned keys — embed a version number in the key, increment on change, old entries expire naturally. Event-driven invalidation is the most consistent; versioned keys are the simplest for CDN use cases. Don't try to build a perfect cache — design for "eventually consistent within N seconds" rather than "always fresh".

Should I cache JSON API responses at the CDN level?

Yes, for public JSON APIs with any tolerance for staleness. CDN caching reduces latency from ~200ms (origin) to ~5ms (edge), absorbs traffic spikes, and reduces origin server load. Set s-maxage to the CDN-specific TTL. Use CDN surrogate keys (Cloudflare Cache-Tag, Fastly Surrogate-Key) to invalidate specific resources without full cache purges. Never CDN-cache private or authenticated responses — use Vary: Authorization at minimum, but this effectively disables CDN caching; use Redis instead for user-specific data.

What is the difference between no-cache and no-store in HTTP?

no-store: never write the response to any persistent storage (disk, memory, CDN). Every request goes to the origin. Use for payment data, session tokens, medical records. no-cache: store the response, but revalidate with the origin before each use — always sends a conditional request (If-None-Match or If-Modified-Since). If the server returns 304, serve the cached version; if 200, update the cache. no-cache with ETag is bandwidth-efficient for data that changes rarely but at unpredictable times.

How do I cache JSON in the browser with the Cache API?

Use Service Workers with the Cache API for offline-capable JSON caching. The cache-first strategy: open a named cache, check for a matching request, return the cached response if found, otherwise fetch from network and cache the response. For JSON APIs, the network-first strategy is usually safer: try the network, fall back to cache on failure. The Cache API stores full Response objects — call response.json() to access the data. Combine with Cache-Control headers: the HTTP cache and Service Worker Cache are separate layers that coexist.