Add cache-control header to static content in SBS

[oharsta]

@mrvanes The cache-control: max-age=3600, public header is added for static resources, but the cache-control: private is not removed. The response has now two cache-control headers and Chrome takes precedence over the last.

[mrvanes]

So, @baszoetekouw how attached are you to nocache in this line? cookie SERVERID insert indirect maxidle 60m secure httponly nocache attr "SameSite=None"

Did you carefully cook that up, or was that just a monkey-see monkey-do from https://www.haproxy.com/blog/enable-sticky-sessions-in-haproxy/?

nocache sets the Cache-Control: private HTTP header so that cache servers between HAProxy and the user won’t cache the response.

Is this needed for the sticky SERVERID session or just a cautious config? Are cookies part of a cached response? Do we need to cater for possible caching bad proxies? https://stackoverflow.com/questions/9334393/proxy-cacheing-what-about-cookies

[baszoetekouw]

In the end, SBS is the only entity in the chain that is able to make the distinction between content that is user specific (and must not be shared between clients) and content that is public and shareable.

So, we should probably set

Cache-Control: public, max-age=86400

for stuff in /static and things like CO-images and set

cache-control: no-cache

for api calls.

It is easier to do this in nginx or in flask/sbs? I don't mind either way.

I think haproxy should not cache anything here, so we should probably remove the nocache attribute there.