Before we talk about specific headers, it helps to understand what headers actually are. Every time a browser requests something from a server, the request and the response contain two parts. The first part is the visible content, like HTML, JSON, images, or CSS. The second part is a set of small metadata instructions called headers<\/strong>. These headers travel along with the request and response and tell the systems involved how the data should be handled.<\/p>\n\n\n\n Headers don\u2019t contain the content itself. Instead, they describe the rules around that content. They can tell a browser whether it\u2019s allowed to cache a page, tell a CDN how long it may store a response, tell proxies whether multiple versions of a response might exist, or tell the browser how the payload was compressed. <\/p>\n\n\n\n In other words, headers don\u2019t change what your site sends, they change how that response behaves across the entire delivery chain. This is why headers matter so much for performance. They are the control layer that determines whether responses can be reused, when they must be refreshed, and how many variations of a response might exist. Understanding them means understanding how your site actually behaves once it leaves the server.<\/p>\n\n\n\n You can have a perfectly optimized page, a fast server, and a well-configured CDN. If the headers contradict your caching strategy, the infrastructure cannot help you.<\/p>\n\n\n\n The key to understanding headers is realizing they answer only three performance questions.<\/p>\n\n\n\n Can this response be reused? Once you look at headers through those three questions, they stop feeling like protocol trivia and start looking like a control panel.<\/p>\n\n\n\n So let’s talk about them. <\/p>\n\n\n\n The first job headers perform is determining whether reuse is allowed at all. The directive that controls this is Cache-Control.<\/p>\n\n\n\n Cache-Control can allow shared caches such as CDNs to store a response, restrict it to browser-only caching, or forbid storage entirely. A typical response might look like this:<\/p>\n\n\n\n The keyword Then there is the most restrictive directive: This tells every cache layer not to store the response anywhere. Not in the browser. Not in intermediary proxies. Not at the edge.<\/p>\n\n\n\n It is effectively the nuclear option for caching.<\/p>\n\n\n\n This is where many WordPress sites accidentally undermine their own performance. A page that should be reusable across visitors returns a The CDN obeys the instruction, and suddenly the request travels all the way back to the origin for every visitor. At that point, it doesn\u2019t matter how good your infrastructure is. The response has been declared non-reusable.<\/p>\n\n\n\n There is also an important distinction between browser caching and shared caching.<\/p>\n\n\n\n The If you don\u2019t differentiate between those two intentionally, you lose precision. You might cache aggressively in the browser but barely at the edge, or the opposite.<\/p>\n\n\n\n Understanding which cache layer you\u2019re instructing is the first step toward real control.<\/p>\n\n\n\n Once a response is allowed to be cached, the next question becomes how many variations of that response might exist. That is controlled by the Vary tells caches what aspects of the request determine whether the response should be treated as unique. A common example looks like this:<\/p>\n\n\n\n This tells caches that the response differs depending on whether the client supports gzip or brotli compression. That\u2019s normal and expected. But variation can quickly spiral out of control.<\/p>\n\n\n\n If a response includes something like this:<\/p>\n\n\n\n The cache now treats every browser type as potentially unique. Since user agents vary widely, the number of possible versions multiplies quickly.<\/p>\n\n\n\n Even more dangerous is the directive we discussed in the previous module section:<\/p>\n\n\n\n This tells caches that every cookie combination might produce a different response.<\/p>\n\n\n\n Now imagine what that means in a WordPress environment where multiple plugins set cookies.<\/p>\n\n\n\n Instead of one cached page, you may end up with dozens or hundreds of variants. The cache technically still works, but reuse becomes rare. This phenomenon is called cache fragmentation.<\/p>\n\n\n\n Caching may be enabled, but the cache hit ratio collapses because the system is storing too many variations. The hygiene rule here is straightforward: only vary on dimensions that genuinely change the output.<\/p>\n\n\n\n Every additional variation reduces reuse, and reuse is the foundation of scalable performance.<\/p>\n\n\n\n Even if a response is eligible for caching and does not create excessive variations, the system still needs to know how long the response may remain valid.<\/p>\n\n\n\n This is the lifetime question.<\/p>\n\n\n\n In this example, the browser may reuse the response for five minutes, while shared caches such as CDNs may reuse it for ten minutes.<\/p>\n\n\n\n By the way, it’s possible you will also encounter the Short lifetimes increase freshness but reduce reuse. Long lifetimes increase reuse but may delay updates.<\/p>\n\n\n\n The goal is to align the lifetime of the cache with the volatility of the content.<\/p>\n\n\n\n Eventually, cached responses expire. At that point, the system must decide whether to regenerate the content or simply confirm that nothing has changed. This is where revalidation mechanisms come in.<\/p>\n\n\n\n Two headers enable this behavior: An When a browser or CDN has a cached response, it can ask the origin server a conditional question.<\/p>\n\n\n\n \u201cHas this resource changed since I last saw it?\u201d If nothing has changed, the server responds with:<\/p>\n\n\n\n No payload is transferred. The cache simply continues using its existing copy. That\u2019s efficient, but it only works when the validation signals are stable.<\/p>\n\n\n\n If Revalidation is cheaper than regenerating the entire response, but it still involves a round trip. At scale, those round trips accumulate.<\/p>\n\n\n\n Beyond caching behavior, headers also influence how the payload itself is delivered. The This might indicate brotli compression. If textual responses such as HTML, CSS, or JavaScript are served without compression, unnecessary bandwidth is consumed.<\/p>\n\n\n\n But compression must be consistent across the stack. If both the origin and the CDN compress responses independently without coordination, the result can be inconsistent caching behavior.<\/p>\n\n\n\n The Incorrect types can break preloading behavior, prevent caching optimizations, or interfere with early rendering strategies. These headers may seem minor, but they affect how efficiently browsers process and render the response.<\/p>\n\n\n\n Modern sites often include additional headers related to security policy. These headers improve security posture, but they also require careful tuning. A very strict The key principle is alignment. Headers should reflect deliberate system design, not the accidental accumulation of plugin defaults.<\/p>\n\n\n\n Understanding headers conceptually is useful, but real control comes from observing them. Open your browser\u2019s developer tools and inspect the main document request, and then ask three questions.<\/p>\n\n\n\n Then compare different contexts.<\/p>\n\n\n\n Look at the site while logged out and while logged in. Compare the homepage with a product page. Compare an anonymous browser session with one carrying cookies.<\/p>\n\n\n\n You want to see intentional differences.<\/p>\n\n\n\n The checkout page might legitimately bypass caching. The homepage probably should not. Once you start reading headers this way, performance debugging becomes faster.<\/p>\n\n\n\n Instead of staring at a waterfall and guessing, you immediately classify the problem.<\/p>\n\n\n\n Is caching disallowed? Those questions lead directly to the root cause.<\/p>\n\n\n\n Headers are not decorative metadata. They are the instructions that define how every layer of the web stack behaves. If those instructions contradict your caching strategy, your caching strategy does not exist.<\/p>\n\n\n\n Once you understand that, performance optimization stops being a series of tweaks. It becomes the deliberate design of how your site is allowed to behave across browsers, CDNs, and origin servers.<\/p>\n","protected":false},"excerpt":{"rendered":" Most WordPress performance advice focuses on assets. Compress images, minify CSS, defer JavaScript, etc. You’ve seen them. And, those things matter, but they\u2019re not the layer that ultimately decides whether your site scales. Headers do. Response headers are the instructions that tell browsers, CDNs, and proxies how they\u2019re allowed to treat your content. They determine […]<\/p>\n","protected":false},"author":2,"featured_media":421960,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":"","_links_to":"","_links_to_target":"","_wordproof_timestamp":false},"categories":[1484],"tags":[],"class_list":["post-421956","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-wordpress-performance"],"acf":[],"_links":{"self":[{"href":"https:\/\/remkusdevries.com\/wp-json\/wp\/v2\/posts\/421956","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/remkusdevries.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/remkusdevries.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/remkusdevries.com\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/remkusdevries.com\/wp-json\/wp\/v2\/comments?post=421956"}],"version-history":[{"count":2,"href":"https:\/\/remkusdevries.com\/wp-json\/wp\/v2\/posts\/421956\/revisions"}],"predecessor-version":[{"id":421963,"href":"https:\/\/remkusdevries.com\/wp-json\/wp\/v2\/posts\/421956\/revisions\/421963"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/remkusdevries.com\/wp-json\/wp\/v2\/media\/421960"}],"wp:attachment":[{"href":"https:\/\/remkusdevries.com\/wp-json\/wp\/v2\/media?parent=421956"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/remkusdevries.com\/wp-json\/wp\/v2\/categories?post=421956"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/remkusdevries.com\/wp-json\/wp\/v2\/tags?post=421956"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"Example](\"https:\/\/remkusdevries.com\/wp-content\/uploads\/2026\/03\/response-headers-1280x696.jpg\")
<\/figure>\n\n\n\n
How many versions of it exist?
How long may it live before it needs to be refreshed?<\/p>\n\n\n\nFirst: Decide Whether the Response Is Allowed to Be Cached<\/h2>\n\n\n\n
Cache-Control: public, max-age=300<\/code><\/pre>\n\n\n\npublic<\/code> allows shared caches to store the response. If the directive instead says private<\/code>, a CDN must not store it, even if the page itself appears identical for every visitor.<\/p>\n\n\n\nno-store<\/code>.<\/p>\n\n\n\nCache-Control: no-store<\/code><\/pre>\n\n\n\nprivate<\/code> or no-store<\/code> directive because a plugin sets conservative defaults.<\/p>\n\n\n\nmax-age<\/code> directive defines how long the browser may reuse the response. The s-maxage<\/code> directive defines how long shared caches such as CDNs may reuse it.<\/p>\n\n\n\nNext: Decide How Many Versions of the Response May Exist<\/h2>\n\n\n\n
Vary<\/code> header.<\/p>\n\n\n\nVary: Accept-Encoding<\/code><\/pre>\n\n\n\nVary: User-Agent<\/code><\/pre>\n\n\n\nVary: Cookie<\/code><\/pre>\n\n\n\nThen: Decide How Long the Response May Live<\/h2>\n\n\n\n
Cache-Control<\/code> directives such as max-age<\/code> and s-maxage<\/code> define that lifetime.<\/p>\n\n\n\nCache-Control: public, max-age=300, s-maxage=600<\/code><\/pre>\n\n\n\nExpires<\/code> header in this context:<\/p>\n\n\n\nExpires: Wed, 21 Oct 2026 07:28:00 GMT<\/code><\/pre>\n\n\n\nExpires<\/code> is the older mechanism for defining expiration. Modern systems primarily rely on Cache-Control<\/code> instead. If both are present, they must agree. Conflicting directives create unpredictable behavior across browsers and proxies.<\/p>\n\n\n\nWhat Happens When Cached Content Becomes Stale<\/h2>\n\n\n\n
ETag<\/code> and Last-Modified<\/code>.<\/p>\n\n\n\nETag<\/code> might look like this:<\/p>\n\n\n\nETag: \"abc123\"<\/code><\/pre>\n\n\n\n304 Not Modified<\/code><\/pre>\n\n\n\nETag<\/code>s are generated differently across multiple origin servers, caches cannot reliably compare them. If Last-Modified<\/code> timestamps change unnecessarily, caches revalidate even when the content hasn\u2019t actually changed.<\/p>\n\n\n\nPayload Handling: Making the Response Efficient to Deliver<\/h2>\n\n\n\n
Content-Encoding<\/code> header tells the browser how the response body was compressed.<\/p>\n\n\n\nContent-Encoding: br<\/code><\/pre>\n\n\n\nContent-Type<\/code> header determines how the browser interprets the payload.<\/p>\n\n\n\nContent-Type: text\/html<\/code><\/pre>\n\n\n\nSecurity Headers and the Performance Tradeoff<\/h2>\n\n\n\n
Content-Security-Policy<\/code> defines which resources a page may load. Permissions-Policy<\/code> controls access to certain browser capabilities. Strict-Transport-Security<\/code> enforces HTTPS.<\/p>\n\n\n\nContent-Security-Policy<\/code> might block third-party scripts that would otherwise load asynchronously. In some cases, that improves performance. In others, it breaks functionality or forces complicated workarounds.<\/p>\n\n\n\nDiagnosing Header Behavior in Practice<\/h2>\n\n\n\n
\n
Is variation excessive?
Is lifetime too short?
Is revalidation constant?<\/p>\n\n\n\nWhy Header Hygiene Matters<\/h2>\n\n\n\n