Fastly & Caching
Like many of the frontend platforms at the G we use Fastly CDN.
We don't have complicated VCL and so everything has been done via Fastly UI, that said version controlling the generated VCL alongside our code wouldn't be a bad idea (we of course have version control via the Fastly UI). Notable things are...
-
Healthcheck configured (
/_healthcheckmust be 200, checked every 60 seconds) -
Force TLS and enable HSTS
-
Force PASS (no caching) on all
/api/*endpoints (as a fallback for #43, #138, #140 - learnt the hard way) to avoid any sensitive user responses from being cached - very important)
-
GZIP enabled on any cached resources (see #183) which should only be
/static/content (primarily the client-side bundleuser.js) -
Logging into
gu-reader-revenue-logsS3 bucket
We have a project in Fastly for CODE too, which can be used to test configurations before PROD. Not also that https://manage.code.dev-theguardian.com/ is accessible from anywhere, unlike say https://support.code.dev-theguardian.com/ which is only available from the office IP.
As MMA displays sensitive information, only static assets are cached (both in Fastly and in application itself via the Cache-Control header).
As hinted at above, in #43, #138, #140 we learnt the hard way to set the Cache-Control header, which is set on all requests and then overridden for the static assets (see #183).