1. Choose the right Cache-Control directive
The Cache-Control header is the source of truth for modern caching. Use public for assets that any cache may store, private for per-user payloads, and no-store for anything sensitive. Pair the visibility token with a freshness lifetime (max-age) and a stale-window (stale-while-revalidate) to keep latency low even when the origin is slow.
2. Set ETag and Last-Modified for revalidation
Once content has expired, a strong validator lets the client revalidate cheaply. Emit an ETag derived from a stable hash of the body and a Last-Modified timestamp. Meridian honors both, returning a 304 Not Modified when the client supplies a matching If-None-Match or If-Modified-Since.
3. Vary on the right request dimensions
A missing Vary header is the most common cause of cross-user data leaks. List every request header that changes the response body. Below is a production-grade response shape Meridian recommends for cached API endpoints.
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: public, max-age=60, stale-while-revalidate=300
ETag: "9f86d081-v2"
Last-Modified: Sat, 27 Jun 2026 14:22:11 GMT
Vary: Accept-Encoding, Accept-Language
X-Meridian-Cache: HIT
{
"ok": true,
"data": { "items": 42 }
}