Purge_cache with Origin header success but URL not removed from the cache

Developers API
1

For Workes & Pages, what is the name of the domain?

com

What is the error message?

I don’t get an error

What is the issue or error you’re encountering

purge_cache returns success, but the URL is not removed from the cache, and subsequent requests return the status cf-cache-status: HIT

What steps have you taken to resolve the issue?

I tried adding different types of headers, but nothing helped.

What are the steps to reproduce the issue?

I have PRO plan.

I send a POST request to the API:

{
“files”: [
https://api.clientdomain.com/client/post/12345”,
{
“url”: “https://api.clientdomain.com/client/post/12345”,
“headers”: {
“Origin”: “https://clientdomain.com
}
}
]
}

Which returns:

{
“success”: true,
“errors”: ,
“messages”: ,
“result”: {
“id”: “0ec091ab2e29048c2b54fd2cfea8411f”
}
}

Nevertheless, the request is not removed from the cache. cf-cache-status: HIT

Thanks for help,

Screenshot of the error

output.jpg
output.jpg1706×820 149 KB

2

It works for me.

I’m afraid there’s really no information in your post that would allow any further investigation.

1 Like
3

Hi @Laudian

What information could I add to be helpful?
I am wondering if I am somehow providing incorrect parameters to the API purge_cache?

Here is what the request and response look like from the browser:

Request:

:authority: api.clientdomain.com
:method: GET
:path: /client/post/12345
:scheme: https
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: pl,en-US;q=0.9,en;q=0.8,pl-PL;q=0.7
Dnt: 1
Origin: https://clientdomain.com
Priority: u=1, i
Referer: https://clientdomain.com/
Sec-Ch-Ua: "Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36

Response:

Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://clientdomain.com
Alt-Svc: h3=":443"; ma=86400
Cache-Control: public, max-age=60, must-revalidate
Cf-Cache-Status: HIT
Cf-Ray: 8a634587eaaebf46-WAW
Content-Encoding: gzip
Content-Type: application/json
Date: Sat, 20 Jul 2024 13:24:27 GMT
Last-Modified: Sat, 20 Jul 2024 13:22:29 GMT
Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
Strict-Transport-Security: max-age=86400
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Frame-Options: DENY
X-Xss-Protection: 0

Thanks

4

What hosting platform are you using?

I’ve written a little Python script that works for me. Can you see if it works for you as well? That way we should be able to make sure there is no error in the way you perform the API call.

#!/usr/bin/python3
import json
from urllib.request import Request, urlopen

api_key = "ENTER_API_KEY_HERE"
email = "ENTER_EMAIL_HERE"
user_agent = "MAKE_SOMETHING_UP" #Cloudflare blocks URLLib default user-agent
zone_id = "ENTER_ZONE_ID_HERE" #you can find that on the zone overview page in dashboard

url = "https://example.com/some/path"
origin = "https://origin.example"

request = Request(f"https://api.cloudflare.com/client/v4/zones/{zone_id}/purge_cache",
                  headers = {"X-Auth-Key": f"{api_key}",
                             "X-Auth-Email": f"{email}",
                             "Content-Type": "application/json",
                             "User-Agent": f"{user_agent}"},
                  data = json.dumps({
                      "files": [url,
                                {"url": url,
                                 "headers": {"Origin": origin}}]}).encode("utf-8"),
                  method = "POST")
response = json.loads(urlopen(request).read())

print(response)
1 Like
5

Copied your script, filled settings and run it:

./purge.sh ; curl --dump-header - -o /dev/null https://api.clientdomain.com/client/12345 -H "Origin: https://clientdomain.com"

{'success': True, 'errors': [], 'messages': [], 'result': {'id': '0ec091ab2e29048c2b54fd2cfea8411f'}}



  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0HTTP/2 200
date: Sat, 20 Jul 2024 14:46:41 GMT
content-type: application/json
vary: Origin
vary: Access-Control-Request-Method
vary: Access-Control-Request-Headers
access-control-allow-origin: https://clientdomain.com
access-control-allow-credentials: true
cache-control: public, max-age=60, must-revalidate
x-content-type-options: nosniff
x-xss-protection: 0
x-frame-options: DENY
x-frame-options: DENY
strict-transport-security: max-age=86400
cf-cache-status: HIT
age: 56

Unfortunately did not purge the cache.

Maybe this is not available for tor PRO accounts?

6

How do you know it’s not being purged?

The reply shows a pretty recent Last Modified date, and there’s no Age header, which tells me this isn’t being served from local colo cache (must be coming from an upper tier).

Sorry, I was looking at your first example. The second one shows Age of 56 seconds, which is pretty recent.

1 Like
7

You missed the most important part of my reply:

Also, you’re running the purge script and the new curl in one go. Purging might take a few seconds.

8

What hosting platform are you using?

bare metal server with ubuntu, nginx and nodejs.

Also, you’re running the purge script and the new curl in one go. Purging might take a few seconds.

Unfortunately, It does not change anything:

./purge.sh ; sleep 10; curl --dump-header - -o /dev/null https://api.clientdomain.com/client/12345 -H "Origin: https://clientdomain.com"

[...]
cf-cache-status: HIT
age: 296