HTTP Header Location?

somerandomfellow

I see that the HSTS/preload/etc options are set in the conf. But where are the frame-ancestors 'self' and default cache-control headers for Vanilla? The default seems to be set to public, max-age=120?

Setting directives in the nginx conf or .htaccess can't actually override the headers.

Bleistivt

2 Minutes is approprite for dynamic content like forums. If you want to set the cache control for static assets like images, that should be done through server config (like .htaccess). The default .htaccess does this:

 <IfModule mod_headers.c>
  <FilesMatch "(?<!embed)\.(css|js|woff|ttf|eot|svg|png|gif|jpeg|jpg|ico|swf)$">
     Header set Cache-Control "max-age=315360000"
     Header set Expires "31 December 2037 23:59:59 GMT"
  </FilesMatch>
</IfModule>

CSP frame ancestors can be extended by adding trusted domains (e.g. when embedding or adding to "Garden.TrustedDomains" in the config).

somerandomfellow

I have my apache/nginx and cloudflare caching perfectly set up along with memcached/etc.

However, with the native response set by Vanilla's defaults, users and myself were having to force a soft refresh to re-validate the homepage right after login if it was clicked on to re-cache the logged in page.

I managed to force my own headers using the exact method you just mentioned earlier.

Bleistivt

What is your homepage? Discussion lists should set Cache-Control: no-store by default.

somerandomfellow

The actual homepage url wasn't no-storing.

example.com/ was still using a 2 minute cache while example.com/discussions/ wasn't.