You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
All plugin API responses are served with Cache-Control: private, no-store — the right default for authenticated data. But public plugin routes (public: true) often serve identical data to every visitor: a catalog listing, a public search endpoint, a widget feed. Today every page view pays a full round-trip to the Worker and D1, even though the response is the same for everyone and changes rarely. On Cloudflare that's exactly the workload the CDN cache exists for.
Proposal
An opt-in per-route header value, additive and default-off:
Honored only on routes that are also public: true — the metadata layer never exposes cacheControl for private routes, so authenticated responses always keep private, no-store even if a route sets both flags.
Applied only to successful GET/HEAD responses; errors and other methods keep the default.
The plugin author supplies the literal header value — no caching DSL to maintain, and existing routes are untouched.
I have a working implementation with tests and docs ready to PR if this direction sounds right.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Problem
All plugin API responses are served with
Cache-Control: private, no-store— the right default for authenticated data. But public plugin routes (public: true) often serve identical data to every visitor: a catalog listing, a public search endpoint, a widget feed. Today every page view pays a full round-trip to the Worker and D1, even though the response is the same for everyone and changes rarely. On Cloudflare that's exactly the workload the CDN cache exists for.Proposal
An opt-in per-route header value, additive and default-off:
Guardrails, so this can't leak private data:
public: true— the metadata layer never exposescacheControlfor private routes, so authenticated responses always keepprivate, no-storeeven if a route sets both flags.I have a working implementation with tests and docs ready to PR if this direction sounds right.
Beta Was this translation helpful? Give feedback.
All reactions