7

Someone knows how reddit manages to bypass cloudflare static html caching once the user logs in successfully with a reload of page?

I see that the current page gets reloaded after a successful login.

Response headers before login:

CF-Cache-Status: HIT
CF-RAY: 23b76b8270950e30-MXP
Cache-Control: max-age=0, must-revalidate
Content-Encoding: gzip
Content-Length: 20794
Content-Type: text/html; charset=UTF-8
Date: Mon, 26 Oct 2015 16:08:27 GMT
Server: cloudflare-nginx
Vary: Accept-Encoding
X-Firefox-Spdy: 3.1
X-Frame-Options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains; preload
x-content-type-options: nosniff
x-moose: majestic
x-ua-compatible: IE=edge
x-xss-protection: 1; mode=block

Response headers after login:

CF-RAY: 23b76cb065140e30-MXP
Cache-Control: private, s-maxage=0, max-age=0, must-revalidate, max-age=0, must-revalidate
Content-Encoding: gzip
Content-Length: 18697
Content-Type: text/html; charset=UTF-8
Date: Mon, 26 Oct 2015 16:09:16 GMT
Expires: -1
Server: cloudflare-nginx
Vary: accept-encoding
X-Firefox-Spdy: 3.1
X-Frame-Options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains; preload
x-content-type-options: nosniff
x-moose: majestic
x-ua-compatible: IE=edge
x-xss-protection: 1; mode=block

Thanks for any hints.

jithujose
  • 211
  • 1
  • 3
  • 6

1 Answers1

9

There are two key ways of doing this with CloudFlare:

  • In CloudFlare you can set a page rule to avoid caching files of your choice.
  • You can serve no-cache headers which CloudFlare will respect.

In order to set-up a Page Rule

  1. Go to your CloudFlare dashboard and select Page Rules
  2. Add a Page Rule which matches *yourdomain.com/*.html
  3. Set cache level to bypass
  4. Save and deploy

Page Rule with Cache Level Bypass

Set Cache Headers

CloudFlare's Help Centre explains how to control cache through the headers sent from the origin:

The second way to alter what CloudFlare will cache is through caching headers sent from the origin. CloudFlare will respect these settings (but only for files with the extensions that we cache by default), unless a Page Rule is set to cache everything and an edge cache expires TTL is set. Here are the caching headers we consider:

  • If the Cache-Control header is set to "private", "no-store", "no-cache", or "max-age=0", or if there is a cookie in the response, then CloudFlare will not cache the resource.
  • Otherwise, if the Cache-Control header is set to "public" and the "max-age" is greater than 0, or if the Expires headers are set any time in the future, we will cache the resource.

Note: As per RFC rules, "Cache-Control: max-age" trumps "Expires" headers. If we see both and they do not agree, max-age wins.

In PHP you can implement this using the header function as follows:

header("Cache-Control: no-cache, must-revalidate");
mjsa
  • 385
  • 2
  • 5