Cache-Control headers - ignore query parameters - node.js

I am setting up a Cloudfront distribution for my companies website.
We would like to set the caching time by using the Cache-Control headers on the server-side (Node.Js with Express), like this:
if (req.url.startsWith('/static')) {
res.setHeader('Cache-Control', 'public,max-age=500');
}
At first, this seems to work well, but one of the criteria for the cache is failing, and that is, to ignore query string parameters.
For example, the request "domain.com/static/logo" and "domain.com/static/logo?foo=bar" should be interpreted as the same resource, and cached as one.
I wonder if it is possible to cache a resource while ignoring its query string parameters, using only the Cache-Control headers.
Thank you.

Bydefault CloudFront does remove the query string and also doesn't consider it into the cache , this is a default behaviour of CloudFront so that there are not multiple cache copies based on different query string parameter.
If you don't seem this behaviour, you may have "Query string" set to Forward all and cache based on call in CloudFront's cache behaviour.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/QueryStringParameters.html

Related

Express doesn't allow changing the CSP header

For some reason the latest Express.JS versions are forcing a default, restrictive CSP (Content-Security-Policy) header value.
I'm trying to instantiate a middleware in order to change CSP to a more permissive one (that's currently on my needs for the project) but Express.JS seems to ignore every value for the Content-Security-Policy header. Calling res.setHeader("...", "some value") does work on that middleware when I change the key name to everything but "Content-Security-Policy". I'm not defining this header anywhere else, so it seems to come from Express.JS itself. What's exactly going on, how to correctly make Express.JS to recognize it?
Example: requesting the main page shows the default restrictive header for CSP, ignoring the value I set on line 29
Another example: changing the header to another name that's not CSP correctly enlists it to the headers

ISAPI filter and compression cancellation

I have an old style ISAPI filter which intercepts SF_NOTIFY_SEND_RESPONSE and changes the Content-Type to / and sets Content-Encoding to empty string. It happens when the response body is smaller than some threshold and its done for compression cancelation. So far it works but I have two concerns.
Is this the right way to do what I've done from technical point of view?
Could Content-Type altering be potentially dangerous?
Looks like setting Content-Encoding to empty string is enough, this way you dont have to deal with mime-type changes which can be potentially dangerous

How to allow a wildcard for part of a querystring in IIS request filtering

I have a querystring that is made up of 3 parts.
The first 2 parts are static but the last one is dynamic and can be any value.
Because keywords used in part of the querystring are blocked / denied by IIS I need to know how to allow a dynamic value for only the last part of the query string in Request Filtering in IIS 7.5
So for example:
in-content=knownvalue&out-content=knownwvalue&searchable= *this could be any word that is made up of characters, numbers, hyphens apostrophe's & signs etc.
Thanks in advance for any help guys.
Because keywords used in part of the querystring are blocked / denied by IIS I need to know how to allow a dynamic value for only the last part of the query string
I don't believe you can configure the default Request Validation on a per-parameter level at present, so to allow all input for a particular parameter you'd have to disable it.
(I would do that anyway because IIS Request Validation is a misguided bogus security measure that hides not solves injection problems.)
If you still wanted to do input filtering on a parameter-by-parameter basis afterwards, you could implement that in the application or by providing your own request validation (subclassing RequestValidation and pointing requestValidationType at that class). Application-specific input filtering is generally a good thing, but it is not the answer to injection XSS issues, for which the only effective solution remains correct escaping for the output context.

Express eTag always changing

I have a rest like API through Node Express.
The ETag is default, not explicitly turned on or off. However whenever I test hitting the server, it always gives me a new ETag, even if the returned JSON/HTML is exactly the same. I also checked the returned header and they look the same. I tested this with two types of content, an API and a static HTML content like a privacy page.
Any idea how to check what's making it different each time?
Express' default behavior is to provide a "strong"-ly validated etag which will only be the same as a previous response if the current response is precisely the same, byte-for-byte.
You could try setting express' etag to weally validate the response, which indicates to the browser that the current response is semantically equivalent as a previous one with the same value, that is, while they might not be byte-for-byte the same, they encapulate or represent the same meaning. To do this, use app.set('etag','weak')
Finally, if this doesn't work for you, you can create your own etag validation function using app.get('etag',function(body,encoding){...}) where you return a hash generated from your content; this allows you to control what express (and thus, the browser) considers being different means in the context of your response.
More than you ever wanted to know about etags can be found at Wikipedi:HTTP_ETag

Can Varnish evaluate the HTML in the response to determine whether to cache?

I'd like to exclude certain pages from the Varnish cache based on the content of the page (for instance if the Form uses a particular hidden field which is a security feature and needs to be unique on every page refresh).
I have dozens of forms, so I don't want to have to exclude each unique page individually from the cache.
Is this possible within the VCL?
No, normally not. The proper way to do it would be to set cache-headers (for instance "Cache-Control: no-cache, must-revalidate") on your pages with the non-cacheable forms that varnish in turn will read.
As a nice side effect that will also cancel most client side caches that also often can cause troubles with CAPTCHAs and the like.

Resources