Reputation: 71961
How to ensure my CDN caches CORS requests by origin?
I currently use Akamai as a CDN for my app, which is served over multiple subdomains.
I recently realized that Akamai is caching CORS requests the same, regardless of the origin from which they were requested.
This of course causes clients that make requests with a different Origin than the cached response to fail (since they have a different response header for Access-Control-Allow-Origin than they should)
Many suggest supplying the Vary: Origin request header to avoid this issue, but according to Akamai's docs and this Akamai community post, this isn't supported by Akamai.
How can I force Akamai to cache things uniquely by Origin if an Origin header is present in the request?
Upvotes: 2
Views: 2562
Answers (2)
Reputation: 15
We have hosted an API on Akamai. I had similar requirement, but we wanted to use the cached response on Akamai for all the touchpoints. But without CORS settings, it used to cache the response from first origin, and then keep it in cache, and the following requests from other touch points use to fail due to cached origin header.
We solved the problem with using API Gateway feature provided by Akamai. You can find it under API Definition. Custom cache parameters can also be defined here. Please see the screen shot for the CORS settings. Now it cached the response from backend and serve to the requester as per the allowed origin list.
CORS Setting in API Definition
Upvotes: 1
Reputation: 71961
I did some research, and it appears this can be done by adding a new Rule in your Akamai config, like so:
Note that if you do this - REMEMBER - this changes your cache key at Akamai, so anything that was cached before is essentially NOT CACHED anymore! Also, as noted in the yellow warning labels, this can make it harder to force reset your cache using Akamai's url purging tools. You could remove the If block, and just include Origin header as a similar Cache ID Modification rule too, if you were ok with changing the cache key for all your content that this rule would apply to.
So in short, try this out on a small section of your site first!
More details can be found in this related post on Stack Overflow
Upvotes: 3
Related Questions
- How to apply CORS preflight cache to an entire domain
- CORS Preflight response includes Vary:Origin and Access-Control-Max-Age?
- Chrome + CORS + cache - requesting same file from two different origins
- Should you set 'Vary: Origin' when allowing any CORS origin (*)?
- Always serve stale/cached data from edge servers
- Do Akamai edge servers share cached content, or go to origin?
- CORS Access-Control-Allow-Origin cache issue
- Why isn't 'Vary: Origin' response set on a CORS miss?
- Cache in CDN but not in browser
- How to consistently serve assets from same CDN host?