search

splitgraph / seafowl

Analytical database for data-driven Web applications 🪶
https://seafowl.io
Apache License 2.0
397 stars 9 forks source link

Enable cached GET endpoint for authorized requests #326

Closed gruuya closed 1 year ago

gruuya commented 1 year ago

Consequently, also add the auth header to the VARY header.

Also enable dropping of external tables.

Closes #300 and #323.

milesrichardson commented 1 year ago

You might also consider adding the Cache-Control: private response header, which indicates that responses may be cached in local caches (e.g. the user's browser), but not in shared caches (e.g. Cloudflare).

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control#response_directives

This would probably be more beneficial if Seafowl were using JWT for Authorization headers (since in that case, the Vary would Vary for the same user but different token). But it's also probably good practice in terms of security.

I guess it's a design decision (maybe should be configurable?) whether you want intermediate caches like Cloudflare to cache private content.

milesrichardson commented 1 year ago

Here's the relevant Cloudflare documentation for how they treat this feature, including some (kind of confusing) information on their defaults: