A signed exchange is not being generated for the front page of https://collegephysicsanswers.com
> curl -svo /dev/null https://collegephysicsanswers.com -H "Accept: application/signed-exchange;v=b3"
should produce a response with the header content-type: application/signed-exchange;v=b3, but it is content-type: text/html; charset=UTF-8 instead.
> curl -svo /dev/null https://signed-exchange-testing.dev/sxgs/valid.html -H "Accept: application/signed-exchange;v=b3"
produces a response with header Content-Type: application/signed-exchange;v=b3 as expected.
I have enabled “Automatic Signed Exchanges (SXG)” in the dashboard as per https://developers.cloudflare.com/fundamentals/speed/signed-exchanges/enable-signed-exchange/.
The CAA records are being added by Cloudflare correctly, which can be verified with dig collegephysicsanswers.com caa.
While Cloudflare mentions in https://developers.cloudflare.com/fundamentals/speed/signed-exchanges/signed-exchanges-caveats/ that an SXG response will not be generated in a response with the Vary header, they contradict that in their https://blog.cloudflare.com/automatic-signed-exchanges-desktop-android/ about dynamic SXG where they recommend adding the Vary: Cookie header. Vary: Cookie is necessary for my application since it uses server side personalization (a personal menu is shown for logged in users for instance). The page https://developers.cloudflare.com/fundamentals/speed/signed-exchanges/signed-exchanges-caveats/ also mention an SXG response will not be generated for origin responses with a Strict-Transport-Security header, but I have a hard time believing that since this header is so strongly encouraged by Google. The only thing I can see that might exclude my site from SXG are the headers
Vary: Cookie, Accept-Encoding
Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
but since the Cloudflare docs contradict themselves, I’m not sure.
Does anyone have any examples of sites using the Cloudflare SXG feature? I would like to inspect their headers and compare.