Cache headers will only be respected when using "Site Caching" or "Disabled" as Cache Level.
In order to analyze the cache headers, a tool called
curl will be used. You can also use the Developer Tools of your browser.
If you are using Microsoft® Windows, install Git for Windows before proceeding.
Open the Terminal/Git for Windows and run the following command:
curl -IL http://yourdomain.com/
Change "yourdomain.com" for your domain or the complete URL of the page/file. For example, if we want to check Sucuri Blog's front page http headers:
$ curl -IL https://blog.sucuri.net/ HTTP/1.1 200 OK Server: Sucuri/Website Firewall Date: Thu, 19 Jan 2017 15:18:31 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive Vary: Accept-Encoding Set-Cookie: PHPSESSID=aha8r2fs3m0njv8h3be14hbtt2; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Cookie Link: <https://blog.sucuri.net/wp-json/>; rel="https://api.w.org/" X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-Sucuri-ID: 11005
Here's the lines we need to pay attention for the purpose of this article:
Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Cookie
Sucuri's blog uses "Enabled" cache level, so these http headers are completely ignored. However, if it were using "Site Caching" cache level, those headers would be honoured and as result Sucuri's blog would never be cached by the Firewall.
Do you know why? Let's understand a bit more about how cache headers works.
It's a powerful header that is frequently used incorrectly. Here's a list of the possible values:
- Vary: Accept-Encoding
When the origin server (your server) doesn't send this header, two things can happen:
1) If the content isn't compressed, you will spend more bandwidth, but all browser will be able to render the page.
2) If the content is compressed, but there isn't a
Vary: Accept-Encoding header, older browsers won't be able to render the content.
To avoid that kind of issue, the origin server must send the
Vary: Accept-Encoding when the content is compressed. That way Sucuri Firewall will keep two separate version of your content: one without compression and other with compression. Depending on the browser, Sucuri Firewall will serve the right version, saving bandwidth, speeding your website and keeping compatibility to older browsers.
- Vary: Cookie
This header will prevent that authenticated users see cached version of pages designated to guests. It has the same effect as "Cache-Control: private, no-cache" that will be mention later. With this header, Sucuri Firewall will only cache requests based on the Cookie sent by the server, which usually is unique for authenticated users.
- Vary: User-Agent
If your website has a mobile version, this header can help you with your SEO. It'll make obligatory that cache servers create different versions of the pages depending on the User Agent.
Attention: Mobile version is different from Responsive design. Responsive design is interpreted differently by the browser, but the page content is exactly the same for all user agents. You shouldn't use this header for responsive designed websites.
- Vary: Referrer
This header will instruct the browser to re-check with the sever for each different referrer. It isn't recommend, unless you know exactly what you are doing.
- Vary: *
Don't use it. It'll prevent any sort of caching and increase (a lot) the origin server load.
It is the most common and important cache header. It has 2 possible values:
Mainly used for static content and public pages (guests only),
public always comes with
max-age=X (X is seconds) to control the cache expiration. Actually, when you specify the
max-age=X, it won't be necessary to include
public, as it is implicit.
It's specially useful for event-driven content websites, like Wikis, news portal, highly updated blogs, etc. You can use Sucuri Firewall cache as a microcaching layer as explained on 8º step of Troubleshoot Caching Issues article.
For websites that doesn't updated its public content frequently, it is even possible to use a longer
To have even a better control, you can also use "s-maxage". The Shared Max Age is a specific
max-age only for reverse caching or other public proxy servers and is generally set lower than Max Age.
If your server doesn't provide a
Cache-Control header specifically for static content, like images, js, css, swf, mp3, mp4, pdf or fonts, our system will automatically set
Cache-Control:"max-age=315360000" for those files.
Side note: the Firewall will check and revalidated (if necessary) those files every 3 days. However, static files will always be cached, regardless of the cache level or the non-cached URLs. Check 4º step of Troubleshoot Caching Issues article in order to know how to avoid static content cache.
It tells to the cache server (Sucuri Firewall) not to cache at all the content. You must combine with
no-store, no-cache, must-revalidate, post-check=0, pre-check=0 to also avoid browser caching. It is commonly used for authenticated users sections and to prevent dynamic content caching.
It's basically a "obsolete" cache-control, used for HTTP/1.0 requests. It has two variables of self-explained meaning:
no-cache. It's still in use because older browser may not support the newest protocols, like HTTP/1.1.
After the date
Expires header explicits, the browser have to request the newest copy of the content. It won't be considered valid after this date, but until there, the local copy should be used. It's expected that
Expires matches the
max-age value of
Cache-Control, but it's not necessary.
Cache-Control, if your server doesn't provide a
Expires header, our system will automatically set a Expires of 20 years for static files.
Caching is one of the most important techniques available to speed your website, save resources and improve your website's resilence against DDoS attacks.
Last-Modified headers weren't mentioned because they don't affect the Sucuri Firewall cache behavior.