Symfony HTTP Cache-Control header overriding

Question

I've answered this question some time ago.

My code at the moment in Symfony 3.4.

 $response->setCache([
     'max_age' => 3600,
     'public' => true,
     's_maxage' => 3600,
 ]);


 // (optional) set a custom Cache-Control directive
 $response->headers->addCacheControlDirective('must-revalidate', true);

 return $response;

In some reason I'm still getting Cache-Control and other headers like this:

Cache-Control: max-age=0, must-revalidate, private, s-maxage=3600
X-Symfony-Cache: GET /: miss

I've noticed that in Symfony 3.2 code works well, but in 3.4 I'm not getting public in Cache-Control (and max-age=0 looks bad too).

Second thing is dumping $response in controller - everything looks fine:

#headers: array:2 [▼
  "cache-control" => array:1 [▼
    0 => "max-age=3600, must-revalidate, public, s-maxage=3600"
  ]
  "date" => array:1 [▼
    0 => "Sat, 12 May 2018 18:42:04 GMT"
  ]
]

Is it somekind of Symfony bug? Should I report it?

Answer 1

In my case, I used the symfony/security-bundle which came with a default configuration:

security:
    providers:
     ....
    firewalls:
        main:
          anonymous: true

This code initialise a session. You may want to use :

security:
    providers:
     ....
    firewalls:
        main:
          security: false

Answer 2

Same with Symfony 3.4.14. And spent 5 hours to find out that since 3.4 version symfony overrides Cache-Control header if session exists (4.1 documentation).

Symfony 3.4 documentation does not have this info.