Many of the sites that I work with have this habit of using a browser Cache-Control header without fully understanding what it means:

cache-control: max-age=0, no-cache, no-store, private

Everything in that header is moot once no-store is added, as Cache-Control rules always default to the most restrictive directive in the list. So the effective set of caching rules defined by that group of directives equals

cache-control: no-store

Now, the issue comes when the visitor refreshes the page. They do not get the opportunity to REVALIDATE the content, as the browser has been told to completely block the content from being stored anywhere.

If the goal is to actually force a visitor to REVALIDATE the content on every page view, then use this instead:

cache-control: max-age=0, no-cache, private

While this set of directives would seemingly prevent any caching, its actual objective is to force the browser to process the content as if it is stale, and send an if-modified-since (including any relevant ETag information) to the server confirming if the content it has stored in a transitory state is still valid.

Performance a REVALIDATE rather than a full load reduces the amount of data transferred between client and server and can improve performance and reduce CDN costs, especially at scale.