I am trying to set Cache-Control to no-cache, no-store, must-revalidate, private in the HTTP Response Headers section in IIS Manager (v7.5). If I add a new custom HTTP Response Header and paste above string in there, I am getting the following output inspecting the website:
Cache-Control: private, no-cache, no-store, must-revalidate, private
How come the private value is set twice? I guess it is set somewhere within ISS already, since it shows Cache-Control: private even if I remove my custom HTTP Request Header.
This leaves me with the following two questions:
What is the right way of setting the HTTP Response Header
Cache-Control: no-cache, no-store, must-revalidate, private
site-wide?
What would be the caveat of having set Cache-Control: no-cache,
no-store, must-revalidate, private site-wide?
I found a good summary on the topic already but nothing specific to setting the HTTP Response Header for Cache-Control site-wide within IIS.
I am running a classic asp application. Could it be that the second private attribute is set there? Any starting point where I could look?
Thank you very much for you help :-)
Related
I am trying to unset cookie if my cookie has certain value.
I tried getting the value using beresp.http.Set-Cookie but this seems to get first value set in Set-Cookie on response. Is there any way I can pull the second Set-Cookie's value ?
Edit
This is my Response header
HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Fri, 19 Feb 2021 09:47:53 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 12297
Connection: keep-alive
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Encoding: br
Set-Cookie: VarnishCustomerIsGuest=True; path=/
Set-Cookie: .Nop.Customer=62a224b9-3b5b-4e74-8200-cf341df111af; expires=Sat, 19 Feb 2022 09:47:53 GMT; path=/; httponly
Set-Cookie: .Nop.TempData=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; samesite=lax; httponly
Vary: Accept-Encoding
X-MiniProfiler-Ids: ["4f9a095d-bbd1-4ffe-81e1-31761363af25"]
X-TMP1000: VarnishCustomerIsGuest=True; path=/
X-Varnish: 163854
Age: 0
Via: 1.1 varnish (Varnish/5.2)
X-Cache: MISS
Accept-Ranges: bytes
What I am trying to do is get the customer cookie at vcl_backend_response. But
beresp.http.Set-Cookie
gives me the first set-cookie value of VarnishCustomerIsGuest and I am not sure if I can get the customer cookie .Nop.Customer.
My application backend always sets cookie for every request so what I am trying to do is unset the cookies depending on .Nop.Customer value so that for some particular customer the page is always served from the varnish cache.
Varnish's vmod_std has the std.collect() function that collapses headers into a single header.
In your case, the following VCL snippet could be used to collapse all occurrences of the Set-Cookie header into a single Set-Cookie:
vcl 4.0;
import std;
sub vcl_backend_response {
std.collect(beresp.http.Set-Cookie);
}
Of course your existing VCL logic should be part of the VCL file as well. This example just shows the need to import the VMOD and to call std.collect() within vcl_backend_response.
An important disclaimer that comes directly from the std.collect() documentation page:
Care should be taken when collapsing headers. In particular collapsing Set-Cookie will lead to unexpected results on the browser side.
Once the Set-Cookie header is collapsed, you can use regsub() logic to extract the necessary values.
We're using Azure CDN to serve images, and I'm trying to understand why images are being strong-cached by web browsers even though there is no Cache-Control or Expires headers in the image response.
For example, the following response headers are returned for an image from Azure CDN:
HTTP/1.1 200 OK
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
Content-MD5: KuQCJm6GQyEjejWwmRgRwQ==
Content-Type: image/jpeg
Date: Tue, 21 Nov 2017 00:15:57 GMT
Etag: 0x8D523228F0F4C42
Last-Modified: Sat, 04 Nov 2017 01:22:47 GMT
Server: ECAcc (meb/A744)
X-Cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: 00822b7c-001e-0045-4194-61d246000000
x-ms-version: 2009-09-19
Content-Length: 5143
<<image data>>
As you can see there is an Etag header returned, but no Cache-Control or Expires headers.
When tracing the network traffic (using Fiddler) from the browser (Chrome), we are NOT seeing any subsequent requests for these images.
My understanding of Etags is that subsequent requests for this image should be sent back to the server (weak caching), and then the server can return a 304 not modified response if the file has not changed.
Can anyone shed any light on this?
I think you need the header cache-control: must-revalidate to get the browser to check the source and have 304 mot modified returned if there is no change.
This is not optimal in terms of caching though.
You are better to invalidate the js with QS changes ("v=??") or set a short expires / max-age header (60 / 120 seconds, or whatever you can handle in terms of deployment, 5 minutes???).
Having an expires header combined with etags should still mean the browser receives a 304 not modified from the server after expiration.
I am setting up a subscription request. I receive the validationtoken url param so according to the docs I have to reply in the next five seconds doing this:
Set the content type in the response header to text\plain.
Include only the validation token in the response body.
Return an HTTP 200 response code.
This tells the Outlook notifications service that the listener received the URL validation request, and the validation succeeded.
I am receiving an error though:
{"error":{"code":"ErrorInvalidParameter","message":"Notification URL 'https://mycallbackurl.com/api/notify?validationtoken=NTk4NzliNzktNTE1MS00ZjE1LWJjNzctMTE4NzI4NTNhODlh' verification failed 'System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.\r\n at System.Net.HttpWebRequest.GetResponse()\r\n at Microsoft.Exchange.Services.OData.ODataPushSubscriptionCallbackUrlValidationHelper.SendRequestAndVerifyResponse(Uri callbackUrl, PushSubscription pushSubscription)'."}
This is my reply that attempts to use that validation token:
REQUEST
https://mycallbackurl.com/api/notify?validationtoken=NTk4NzliNzktNTE1MS00ZjE1LWJjNzctMTE4NzI4NTNhODlh
RESPONSE CODE
200
RESPONSE BODY
NTk4NzliNzktNTE1MS00ZjE1LWJjNzctMTE4NzI4NTNhODlh
RESPONSE HEADERS
Date: Mon, 16 May 2016 09:42:50 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: chrome-extension://aejoelaoggembcahagimdiliamlcdmfm
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Authorization, Accept, Origin, Content-Type, Access-Control-Allow-Credentials, Access-Control-Allow-Origin
Access-Control-Expose-Headers: X-Api-Version
Access-Control-Max-Age: 3600
Access-Control-Allow-Methods: POST, PATCH, PUT, GET, OPTIONS, DELETE
Allow: POST, PATCH, PUT, GET, OPTIONS, DELETE
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: 0
Pragma: no-cache
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
X-Api-Version: 1.3
Content-Type: text/plain;charset=UTF-8
Content-Length: 48
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
The only think that changes between what is expected for and what I am providing is content type:
Expected: text/plain
Produced: text/plain;charset=UTF-8
Assuming this is the reason of the error, would not make sense to allow both cases?
The error indicates a failure to establish a secure connection (SSL). There may be a problem with your SSL certificate. Is it a self-issued cert perhaps?
I have an application on node.js using sails.js as a framework. For displaying the informations to the user I have implemented some .ejs files.
When navigating using links within the app menu, I receive a "304 - Nod Modified" response. Also, within headers in the response I see Etag, If-None-Match or Expires.
After reading some posts, I have added the "app.disable('etag')" statement within /config/express.js file in the customMiddleware function and etag and if-none-match are not sent anymore.
Anyway, now I do not see any request made to the server (just the first one is made) when accessing different pages (not even 304 response).
How can I tell sails.js to stop caching my pages?
You can add this to a policy instead and then just apply it to the specific pages/requests you want - if you do not want to set this for the entire application.
/api/policies/nocache.js:
/**
* Sets no-cache header in response.
*/
module.exports = function (req, res, next) {
sails.log.info("Applying disable cache policy");
res.header('Cache-Control', 'private, no-cache, no-store, must-revalidate');
res.header('Expires', '-1');
res.header('Pragma', 'no-cache');
next();
};
It seems that adding the code below solved my problem:
res.header('Cache-Control', 'private, no-cache, no-store, must-revalidate');
res.header('Expires', '-1');
res.header('Pragma', 'no-cache');
These line should be included in the customMiddleware function from the /config/express.js file.
If there is a cleaner way to achieve the same result, please reply.
I use node-formidable to process a form via POST at http://127.0.0.1/upload. After processing, I want to redirect the user to http://127.0.0.1/. Currently, I need to reload http://127.0.0.1/ in order to see the uploaded data. I assume I need to tweak a cache setting.
How can I do this in Node.js? Do I set Cache-Control: no-cache on http://127.0.0.1/ or /upload?
you set it on http://127.0.0.1.
try something like this:
res.header('Cache-Control', 'no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0');