Skip to content

Authenticated response caching

Ieuan Walker edited this page Jan 27, 2026 · 2 revisions

By default, ASP.NET Core output caching does not cache authenticated responses. This is a security feature.

This library provides an opt-in policy to allow output caching for authenticated requests.

1. Follow the setup guide and ensure that the middleware order is correct

2. Use the custom policy on an endpoint

public class CachedAuthenticatedEndpoint : IEndpointWithoutRequest<string>
{
	public static void Configure(RouteHandlerBuilder builder)
	{
		builder
			.Get("/cached-auth")
			.RequireAuthorization()
			.CacheOutput(policy =>
			{
				policy
					.Expire(TimeSpan.FromMinutes(1))
					.AllowCachingAuthenticatedResponses();
			});
	}

	public Task<string> Handle(CancellationToken ct)
	{
		return Task.FromResult("OK");
	}
}

Important security guidance

Allowing caching for authenticated requests is only safe if at least one is true:

  1. The response is identical for all authenticated users, or
  2. The cache varies by a user-specific discriminator (user id, tenant id, roles/permissions), or
  3. You are using a cache store that is intentionally scoped per user/tenant.

If you cache user-specific data without varying the cache key appropriately, you risk serving one user’s response to another.

Clone this wiki locally