Framework for setting cache-related headers #864

bdarnell opened this Issue Aug 4, 2013 · 0 comments


None yet
1 participant

bdarnell commented Aug 4, 2013

If certain features of Tornado are used, the resulting pages should not be cached (e.g. xsrf tokens, locale detection). The Cache-Control and Vary headers are currently left up to the application (except for the Vary: Accept-Encoding header added by the gzip encoder). We should set the appropriate cache-related headers by default and probably introduce some new interfaces to coordinate these headers between the framework and application-level code (and middleware/mixins).

  • Treat Vary header as a set while the response is being generated, both so multiple cookies don't each append their own Vary: Cookie header and for consistency between the multi-header form and the comma-separated list.
  • Consider adding a method like get_header(name, default=None, set_vary=True).
  • Document recommended idioms for setting Vary header (e.g. emphasizing that Vary must be set whether the header you looked for was present or not).
  • XSRF tokens (and cookies generally) often imply Cache-Control: private instead of Vary: cookie, but the single-valued Cache-Control header is tricker to coordinate than the multi-valued Vary.
  • Consider making Cache-Control: private the default (except for StaticFileHandler) since public caching generally requires some care by the application developer.


@bdarnell bdarnell added the web label Jul 16, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment