Aggressive cache control default

[Michael Schaefermeyer]

Hey all,

yesterday I noticed that after updating the CORS plug our CDN cache coverage dropped to 0. The idiot that wrote CORS plug (me) overwrote any previous headers in earlier version. That is now fixed.

I notice that phoenix (or plug? or cowboy?) sets the following cache control header:

cache-control: max-age=0, private, must-revalidate

That's a pretty aggressive setting. I suggest we do not set a cache-control per default.

Thoughts?

Thanks,

Michael

[Christian Kruse]

Hi,

Michael Schaefermeyer <michael.sc...@gmail.com> writes:

> That's a pretty aggressive setting. I suggest we do not set a
> cache-control per default.
>
> Thoughts?

+1

I fell over that, too, and had to overwrite that in a plug.

Best regards,
--
Christian Kruse
https://wwwtech.de/about

[jose....@gmail.com]

I think not setting cache-control is a very dangerous default. According to the spec, any page is cacheable by default:

https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html#sec13.4

The consequence is that if your application has pages accessible after a login, without a cache control, it may be cached! So I think setting cache-control by default is a good thing™ so proxies don't end-up caching otherwise private content. I am aware most proxies won't cache if there is a cookie BUT it is not part of the spec afaik, so I don't want to rely on it. 

So unless I am reading the spec wrong, I think we have a sane default. My feedback is then to explicitly set the cache-control to public for pages you want to surely cache.

[jose....@gmail.com]

However, Plug.Static should certainly drop it by default, I will fix it accordingly.

[jose....@gmail.com]

Apparently Plug.Static already sets it to public, so if someone is seeing otherwise, please open up a bug report.