403 caching blindly irrespective of headers

I have set Cache Everything in Page Rules. I’m running a RESTful API gateway behind cloudflare. One of my API method return 403 status code, if the requested user doesn’t have necessary privilege to access that resource. Once 403 is returned from server, it is cached in cloudflare for all my users. Why cloudflare is blindly caching 403 response URL without respecting the http headers? 403 status code clearly says that the requested resource is not accessible for the “requested user”. I use Bearer token in request header for authentication. I believe caching the URL for 403 irrespective of http headers is a bad design. Please someone explain to me why cloudflare behaves like this. Is there any other scenario blindly caching 403 response URL is a good practice?

If you send a cache control header from your origin Cloudflare will respect it. Otherwise Cloudflare caches a 403 response for 1 minute.

Yes. When providing DDoS mitigation to protect the origin server from bad/malicious requests which are intended to consume requests from the origin server which is one of Cloudflare’s primary use cases for many users. Sending a cache control header with your 403 response can be used to override the default behavior described in the linked article above.

This topic was automatically closed after 14 days. New replies are no longer allowed.