header("Pragma: public"); // TODO not sure if really needed
This is apparently some implementation-specific header related to caching in some implementations. Pragme: no-cache is standard, but other values are implementation-defined.
header('Cache-Control: no-cache'); // TODO not sure if really needed
This prevents using cached resources without first validating them. I'd think this is not really needed, since the browser is free to validate partial responses, just like complete responses. However, it seems that Apache (or PHP) actually adds Cache-Control: no-store (which disallows all caching) on all responses by default, so I guess this header is intended to actually allow some caching. However, since we support no way of validation (If-modified-Since or Etag headers), no-cache effectively prevents all caching, which doesn't seem particularly useful. So just setting this to public with a max-age of 24h is probably better.
So, I've removed X-pad and updated the cache heades. I've also removed the Content-Disposition header, since that primarily sets the filename, but the browser can already just derive the filename from the URL. And I added a TODO about Apache's X-Sendfile header, to be looked at later.
With this, I think the code is ready to be tested, and if it works as expected, merged (after squashing).
This is apparently some implementation-specific header related to caching in some implementations.
Pragme: no-cache
is standard, but other values are implementation-defined.https://stackoverflow.com/questions/1920781/what-does-the-http-header-pragma-public-mean
This is apparently a workaround for a bug in Netscape, fixed 24 years ago, but the header still lingered in Apache for quite a while. https://stackoverflow.com/questions/8711584/x-pad-avoid-browser-bug-header-added-by-apache https://github.com/mnot/redbot/issues/229
This prevents using cached resources without first validating them. I'd think this is not really needed, since the browser is free to validate partial responses, just like complete responses. However, it seems that Apache (or PHP) actually adds
Cache-Control: no-store
(which disallows all caching) on all responses by default, so I guess this header is intended to actually allow some caching. However, since we support no way of validation (If-modified-Since
orEtag
headers),no-cache
effectively prevents all caching, which doesn't seem particularly useful. So just setting this topublic
with amax-age
of 24h is probably better.So, I've removed
X-pad
and updated the cache heades. I've also removed theContent-Disposition
header, since that primarily sets the filename, but the browser can already just derive the filename from the URL. And I added a TODO about Apache'sX-Sendfile
header, to be looked at later.With this, I think the code is ready to be tested, and if it works as expected, merged (after squashing).