CORS and cf-cache-status

I have this simple API:, it returns a timestamp and instructs the browser and Cloudflare to cache the response. Nothing special about it. After some refreshes, I get a cf-cache-status: HIT. The API have CORS enabled for these two hosts:

  1. https://*
  2. https://localhost:44383

When I open a chrome and fire a GET straight to the API, i get two things:

  1. cf-cache-status: HIT
  2. Vary: Accept-Encoding

All what to expect with CORS and Cloudflare.

I also have a simple Angular SPA on It is a template SPA, but I have set up a page to do XHR to the API in question: To test this, you need to open this URL in another browser. I think it is because of max-age and CORS, else you might get a CORS error in the console.
If you open in Edge, you get a XHR to the same API. You get the same Cloudflare caches response as when calling directly, but the request made has these two things:

  1. cf-cache-status: BYPASS
  2. Vary: Accept-Encoding, Origin

I understand why the vary on origin, it is because of CORS, and i get it. I also do understand why i get the same cached response as when calling the API directly, because I have instructed Cloduflare to. What I don’t understand is why i get the BYPASS when Cloudflare clearly delivers a cached response to me. Is this because of CORS as well? Or has it something to do with Cloudflare only supports Accept-Encoding as vary header (, but gets Origin as well, and kind of telling me “the wrong story”, eg “I am going to bypass this because of vary origin, but for Accept-Encoding I have a cached result”, and then proceed to only telling me the first part of how it found the resource?

I know this is a tiny detail. I do get what I want: a cached response, but I need to understand this, because I am going to use Cloudflare a lot in the next couple of years :slight_smile:

Did you fix it? When I check that link twice, I get cf-cache-status: HIT.

cache-control: public,stale-while-revalidate=30, max-age=60, stale-if-error=30
cf-cache-status: HIT

You have a 60 second max-age, which of course means the cache will expire after 60 seconds.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.