one of the request of my web page is to retrieve the html panel data. This request is triggered with the help of java script from browser. The response received from the server include caching headers that are confusing. The headers received are like - Cache-Control:"private, max-age=120no-store"
in this expected is max-age=120 header but we are getting no-store header as well which is causing the response not to remain cached.
Can anyone let me know what all we can do to avoid the no-store in the cache-control header?
As max-age and no-store are not separated by any separator, what we can do to know what is causing them to appear in this format and fix the issue?
Related
I have an application that require credentials. For the preflight requests, I am returning Access-Control-Allow-Credentials to true only in OPTIONS requests. I assumed that this header would not be necessary in subsequent requests but it is failing.
Is this behaviour expected or should I perform modifications?
The MDN website mentions the following but it is not entirely clear to me:
When used as part of a response to a preflight request, this indicates whether or not the actual request can be made using credentials. Note that simple GET requests are not preflighted. So, if a request is made for a resource with credentials, and if this header is not returned with the resource, the response is ignored by the browser and not returned to the web content.
(source)
The fetch standard includes this note for Access-Control-Allow-Credentials header but it's not clear to me either.
For a CORS-preflight request, request’s credentials mode is always "same-origin", i.e., it excludes credentials, but for any subsequent CORS requests it might not be. Support therefore needs to be indicated as part of the HTTP response to the CORS-preflight request as well.
(source)
I am returning Access-Control-Allow-Credentials to true only in OPTIONS requests assuming that in the following calls this header would not be needed.
The OPTIONS request is successful but the browser blocks the subsequent POST request (which does not include Access-Control-Allow-Credentials to true) with the next message:
You want to make a credentialed CORS request (that is, fetch(..., {credentials: "include"})) that requires a preflight (for example, because it is a POST request with Content-Type: application/json).
Without the Access-Control-Allow-Credentials: true header in the preflight response, the browser would not make the credentialed request in the first place.
Since you set that header in the preflight response, the browser makes the credentialed request (so that the effect happens on the server). But then the response lacks a header Access-Control-Allow-Credentials: true, therefore the browser refuses to make the response accessible to Javascript. This is the same behavior as if you made a simple CORS GET request (which does not require a preflight) but the response lacks an Access-Control-Allow-Origin header.
So you really need this header in both responses.
If I want browsers to load PDF files from cache until they changed on the server, do I have to use max-age=0 and must-revalidate as cache-control headers?
If I would use another value (larger than 0) for max-age would that mean the revalidation would only happen once the max-age value was exceeded?
What would happen if I would only set the must-revalidate header without max-age?
I was reading through this question and I am not 100% sure.
Also, what exactly does revalidate mean? Does it mean the client asks the server if the file has changed?
On the contrary, I've read that cache-control no-cache pretty much does what I want to achieve. Cache and check with the server if there is a new version... so whats the correct way?
I assume you are asking about which headers should you configure to be sent from your server, and by "client" you mean "modern web browser"? Then the quoted question/answer is correct, so:
Yes, you should set both, but max-age=0 is enough, (must-revalidate is the default behavior)
Yes, correct, the response would be served from local cache until max-age expires, after that it would be revalidated (once), then again served from local cache and so on
It is kind of undefined, and differs between browsers and the way you send request (clicking link from html, hitting reload button, typing directly in address bar and hitting enter). Generally, response should not be served directly from cache but it could either just be revalidated or full response can be requested from server.
Revalidate means that client asks server to send the content only if it has been changed since it was last retrieved. In order for this to work, in response to initial request server will send either one or both of:
Etag header (which contains hashed value of the content), which client will cache and send back in revalidation request as If-None-Match header, so server can compare clients cached Etag value with the current Etag on server side. If the value did not change, server will respond with 304 Not Modified (and empty body), and if the value changed, server will respond with 200 and full (new) content
Last-Modified (which contains timestamp of the last content modification), and client will send that in revalidation request in If-Modified-Since header, which will be used on server side to detirmine the response (304 or 200)
Cache-control: no-cache might achieve the same effect in most of the (simple) cases. The situation where things get complicated is when there are intermediate caches between client and the server, or when you want to tweak client behavior (for example when sending AJAX requests) and that is when most of the caching directives come into use
I am using Apache with PageSpeed; On my index page I want to manually set a cache time by PHP but the headers get overwritten by PageSpeed because it sees the page as html and it ads no-cache:
header("Cache-Control:public, max-age=60");
pagespeed modifies it to:
Cache-Control: public, max-age=60
Cache-Control: max-age=0, no-cache, s-maxage=10
From the downstram caching documentation:
By default PageSpeed serves HTML files with Cache-Control: no-cache,
max-age=0 so that changes to the HTML and its resources are sent fresh
on each request
OK, but is there an easy way to get rid of that no-cache ? The method shown on documentation seems insanely complicated for such a simple issue. And already having reverse proxies and such, the infrastructure is complicated enough already.
Would Cache-Control:private help ?
Looks like ModPagespeedModifyCachingHeaders off does just that, not sure why this is not mentioned in the downstream caching documentation.
I'm trying to improve the cache capabilities on my sails application.
Sails generate a Etag with its response but when I try to do a GET request with a header 'if-None-Match' containing the Etag from the previous answer I can't get a 304 not Modified response from the server (the response is indeed not Modified and the Etag I receive is the same as the previous one).
I'm using POSTMAN to test the server responses.
Is there a way for a sails server to send such status code on unmodified responses ? I can't find any resource for Etag usage in sails doc.
Thank you.
Sails.js is based on Express.js and the ETags are generated by Express.js. And according to this answer, weak ETags are generated using CRC32 (source), strong ETags are generated using MD5 (source).
I use DHC - REST/HTTP API Client with If-None-Match header, it works perfect (return 304 Not Modified).
And I found that's because POSTMAN send NO-CACHE header to the server for testing purpose
'cache-control': 'no-cache',
You can follow this answer and turn off this feature then everything will be fine.
I am trying to force phantoms to in-memory cache some webpage (GET) that is sending "Cache-Control: no-cache, must-revalidate” header to us.
I ve tried to do this by modifying Cache-Control header in casper.options.onResourceReceived but it seems the headers are kind of a READ-ONLY in this callback?!
I would appreciate some directions to investigate in this problem …..
If the server doesn't want a request cached, then there is nothing you can do. PhantomJS is just another browser, so it will follow those instructions.