EFForg
issue appropriate HTTP headers for cacheability
When a user is /not/ logged in, the app should issue appropriate headers to allow caching by reverse proxies like Fastly, as well as by the user's browser. It should also set a Vary: Cookie header so that the cache will vary based on the user's cookie, e.g.:
Cache-Control: max-age=3600, public Vary: Cookie, Accept-Encoding
Note: 3600 is just an example, and should be configurable.
When a user is logged in, the app should issue appropriate headers to disallow caching by Fastly or the browser, e.g.:
Cache-Control: must-revalidate, no-cache, private Vary: Accept-Encoding
This is a new issue to replace issues on the old project:
- https://github.com/EFForg/actioncenter-dontuseforissues/issues/423
- https://github.com/EFForg/actioncenter-dontuseforissues/issues/424
The goal is that the app could be installed behind any reverse proxy and pretty much "just work" without any additional configuration of the reverse proxy.
We might also need to set a vary header based on the Accept header. The action center is returning html for act.eff.org/action even when "accept: application/json" is set.
that would be Vary: Accept and would be unfortunate since it decreases cacheability even more. I know it's not very RESTfulicious but could we use a different endpoint for json, i.e. https://act.eff.org/action.json
Vary: Accept-Encoding is to support compressed output which I just noticed we're not doing. I'm going to file a redmine bug about that.