-
-
Notifications
You must be signed in to change notification settings - Fork 1
Authenticated response caching
Ieuan Walker edited this page Jan 27, 2026
·
2 revisions
By default, ASP.NET Core output caching does not cache authenticated responses. This is a security feature.
This library provides an opt-in policy to allow output caching for authenticated requests.
1. Follow the setup guide and ensure that the middleware order is correct
public class CachedAuthenticatedEndpoint : IEndpointWithoutRequest<string>
{
public static void Configure(RouteHandlerBuilder builder)
{
builder
.Get("/cached-auth")
.RequireAuthorization()
.CacheOutput(policy =>
{
policy
.Expire(TimeSpan.FromMinutes(1))
.AllowCachingAuthenticatedResponses();
});
}
public Task<string> Handle(CancellationToken ct)
{
return Task.FromResult("OK");
}
}Allowing caching for authenticated requests is only safe if at least one is true:
- The response is identical for all authenticated users, or
- The cache varies by a user-specific discriminator (user id, tenant id, roles/permissions), or
- You are using a cache store that is intentionally scoped per user/tenant.
If you cache user-specific data without varying the cache key appropriately, you risk serving one user’s response to another.
Getting Started
Endpoints
- Endpoint interfaces
- HTTP verbs
- Request binding
- Grouping
- Returning multiple different responses
- Dependency injection
Validation
- Setup
- Data annotations
- Fluent validation
- Disabling validation
- Manually return BadRequest with validation errors
Output Caching
OpenAPI & Documentation