For example, any pages with server-generated honeypots or URLs that are unique to specific users such as password-reset links.
I'm working on setting up FastCGI caching for Nginx (similar to Varnish) and I already don't cache anything if the user is logged in, if it's anything other than a `GET`, or if it includes any query strings/arguments.
I've searched around a good bit for both FastCGI cache and Varnish, and there's a number of folks with questions, but no one has managed to put together a cannonical list of which URLs are okay to cache for guests and which aren't. So I suspect if we can put this together, a good number of folks will find it handy.
I don't care if the page content changes on every new post--it's fine if my guests don't see the latest posts for a minute or two--it's only when the content changes for every single visitor that I don't want it cached.
Here's my blacklist so far in Regex form:
# For sure don't cache search.* # Search queries have unique value appended that changes every time find-new/.* # URL changes every query lost-password.* # lost password requests append random string, won't have cookie set yet # Pages with honeypots that change every pageload: login/login/? register/? # Shouldn't be accessible to logged-out users, but uber-important not to cache, so including just to be safe: admin\.php.* conversations/.* account/.* logout.*
# Does Nginx ever access these url subfolders, or only PHP? Do logged-out users ever need to access? internal_data library data # Does the normal login page have honeypots? login/?
Alternatively, I've considered using a whitelist. Do I open any security holes if I whitelist the following URLs for logged-out users?
Whitelist: homepage /forums/.* /threads/.* /members/.* /posts/.* /media/.* /resources/.*