Do not send Vary: Cookie in ProductionReadOnly config

RESOLVED FIXED

Status

Shield
Service
P2
normal
RESOLVED FIXED
a year ago
a year ago

People

(Reporter: mythmon, Assigned: mythmon)

Tracking

Details

(Assignee)

Description

a year ago
The `Vary: Cookie` header value breaks our caching. We are working around this with some nasty Nginx configs we would like to remove. We should make sure the application does not include `Vary: Cookie` in its responses.

Note: We do need to include `Vary: Accept`, since DRF uses uses the Accept header.
(Assignee)

Updated

a year ago
Priority: -- → P2
(Assignee)

Comment 1

a year ago
To add some more detail: this only applies to cache-sensitive pages, and does not apply to pages that use authentication.
Assignee: nobody → mkelly
Assignee: mkelly → nobody
(Assignee)

Updated

a year ago
Assignee: nobody → mcooper
(Assignee)

Comment 2

a year ago
The PR below adds test that verifies that we don't send the problem headers.

However, going through the code, I came to the conclusion that we have already fixed this bug. The Vary header is controlled by a middleware that is not included in ProductionReadOnly configs. We have removed the hacks in prod.

https://github.com/mozilla/normandy/pull/263
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.