Fastly & Caching

WARNING: Do not cache routes serving personal data!

As MMA displays sensitive information, only static assets are cached both in

• Fastly, and in
• application itself via the Cache-Control header in server.ts. Make sure to put sensitive route under disableCache middleware call.

Force PASS (do not cache) by default on all routes, unless route is explicitly enabled to be cacheable:

To enable caching explicitly for a route newroute:

1. Modify VCL condition to req.url !~ "^/(static|newroute)"
2. Add the route above disableCache middleware in server.ts or override cache-control headers on case-by-case basis.

Relevant links

• Learnt the hard way to avoid any sensitive user responses from being cached - very important: #43, #138, #140 we learnt the hard way to set the Cache-Control header, which is set to "private, no-cache, no-store, must-revalidate, max-age=0" ALL responses but overridden for the static assets (see #183).
• Change Fastly to by default not cache unless route is explicitly added to allow-list #568 https://github.com/guardian/manage-frontend/pull/568
• Controlling caching
• x-cache headers

Fastly and manage-frontend integration

Like many of the frontend platforms at the Guardian we use Fastly CDN.

We don't have complicated VCL and so everything has been done via Fastly UI, that said version controlling the generated VCL alongside our code wouldn't be a bad idea (we of course have version control via the Fastly UI). Notable things are...

• Healthcheck configured (/_healthcheck must be 200, checked every 60 seconds)
• Force TLS and enable HSTS
• Sets geolocation set-cookie headers for all PROD and CODE traffic (VCL snippet)
• Force PASS (no caching) by default on all endpoints (except static currently)
• GZIP enabled on any cached resources (see #183) which should only be /static/ content (primarily the client-side bundle user.js)
• Logging into gu-reader-revenue-logs S3 bucket

We have a project in Fastly for CODE too, which can be used to test configurations before PROD. Not also that https://manage.code.dev-theguardian.com/ is accessible from anywhere, unlike say https://support.code.dev-theguardian.com/ which is only available from the office IP.