Closed gruuya closed 1 year ago
You might also consider adding the Cache-Control: private
response header, which indicates that responses may be cached in local caches (e.g. the user's browser), but not in shared caches (e.g. Cloudflare).
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control#response_directives
This would probably be more beneficial if Seafowl were using JWT for Authorization headers (since in that case, the Vary
would Vary for the same user but different token). But it's also probably good practice in terms of security.
I guess it's a design decision (maybe should be configurable?) whether you want intermediate caches like Cloudflare to cache private content.
Here's the relevant Cloudflare documentation for how they treat this feature, including some (kind of confusing) information on their defaults:
Consequently, also add the auth header to the VARY header.
Also enable dropping of external tables.
Closes #300 and #323.