According to the MDN article, HSTS header should be included in response to first https request. Does that mean response header for OPTION request should contain HSTS header as well?
Related
So I'm testing with this setup. https://example.com/original always responds with a 308 status code, redirecting the browser to https://example.com/new.
https://example.com/new checks if If-Modified-Since and If-None-Match to see if cache is still valid, and returns 304 if so. Otherwise it should return 200 with the full content and ETag, Last-Modified in response header.
What I'm seeing is that after being redirected, however many times I try, in the new request to https://example.com/new the browser does not have If-Modified-Since or If-None-Match set. Thus the server always return 200 with the full content. It feels like browser just does not try to remember ETag or Last-Modified returned by https://example.com/new.
Is it possible for the redirect response (https://example.com/original which returns 308) to tell the browser to remember ETag or Last-Modified so it can include If-Modified-Since or If-None-Match in the request to https://example.com/new?
I have a website that caches data, it uses a content-delivery-network called akamai, and this is the response header. 'cache-control': 'must-revalidate, max-age=600'. This means, re-validate after 600 seconds (stale). If i want the cdn to query the origin server each request, i can do this... cache-control: no-cache. When i send this request, i get the same response header... indicating that it isn't being re-validated? Is it actually not being re-validated, or is it being re-validated? Since the website is well-known, it is safe to say that the website is correctly responding to headers.
What you've observed is correct behavior.
Your Cache-Control request header applies to this request, while the Cache-Control response applies to future requests. Whether or not your client wants a fresh response to this request will not and should not change the server's general directions as to how its resources can be cached.
As long as you use no-cache in your requests you should not get a cached response.
How to identify whether an http request has body or not. Referred this HTTP response headers valid with no Transfer-Encoding and Content-Length?. The request made from swagger ui has body and no content-type. But when checking the request it does not have either transfer encoding header or content-length header. How to identify whether it has a body or not.
Content-Type is entirely irrelevant for this.
The full (complex) algorithm to determine the message size is described in RFC 7230. See https://greenbytes.de/tech/webdav/rfc7230.html#rfc.section.3.3.3.
What value should have cache-control header to enable ETag\Last-Modified? I want my resources files to be cached but never used without validation from server, i.e. browser should send If-none-match or If-modified-since header and receive 304 HTTP status code to use file from cache.
The short answer is Cache-control: no-cache. Browser/caching proxy will have to always validate data before serving. For success validation ETag and Last-Modified headers must be present. Otherwise resource will be downloaded always fully from the server.
After reading about the Cache-Control field of the HTTP header,
I understand that the Cache-Control field in the HTTP response header (server to client) specifies the directives for the intermediate proxy servers/client browser on how to handle the response, by sending different values for the Cache-Control field: private, public, no-cache, or no-store in the response header.
But I don't get why we need to send Cache-Control as a request header (client to server)?
Cache-Control: no-cache is generally used in a request header (sent from web browser to server) to force validation of the resource in the intermediate proxies.
If the client doesn't send this request to the server, intermediate proxies will return a copy of the content if it is fresh (has not expired according to Expire or max-age fields). Cache-Control directs these proxies to revalidate the copy even if it is fresh.
A client can send a Cache-Control header in a request in order to request specific caching behavior, such as revalidation, from the origin server and any intermediate proxy servers along the request path.
In addition to the above answer,
There might be a setup where cache chaining is implemented. In that case if the request comes to first cache where it is not satisfied, it might go to further chained cache.
Thus in order to get the response always from the server we include cache-control in request headers. This will insure that response is always from the server.