This question already has answers here:
What's default value of cache-control?
(6 answers)
Closed 6 years ago.
We have a requirements that some Web API responses should never be cached .
When we checked the headers in the response of a Web API 2 calls , we found that there is no Cache-Control headers.
Does this mean that Web API 2 results are not cached by default or do we need to send the header Cache-Control : no-cache , no-store will every response to ensure that results are not cached
It's not cached by default.
If you want to use caching,you need to write logic or include libraries for it.
Related
This question already has answers here:
Why isn't my CORS configuration causing the server to filter incoming requests? How can I make the server only accept requests from a specific origin?
(1 answer)
CORS-enabled server not denying requests
(2 answers)
CORS allowed-origin restrictions aren’t causing the server to reject requests
(3 answers)
Closed 1 year ago.
Say I have a server abc:8080
and a website web.org that make requests to abc:8080..
I only want abc:8080 to be accessible through web.org..
Users are disallowed from navigating to abc:8080 without being on the allowed origin 'web.org'.
Is this possible?
django-cors-headers specific answer would be awesome!
From what I understood is that your abc:8080 is acting as a backend server providing APIs and web.org is let's say your frontend server consuming those APIs.
I assume you have django-cors-headers installed on abc:8080
Adding web.org to django settings variable CORS_ALLOWED_ORIGINS in 'abc:8080' project should do the job
CORS_ALLOWED_ORIGINS = [
"web.org",
]
This question already has answers here:
MVC web api: No 'Access-Control-Allow-Origin' header is present on the requested resource
(17 answers)
Closed 4 years ago.
From one side I have an ASP.net web application that contains a web api module.
On the same machine I have an angular 2 client application which is consuming the web api controllers crud methods. The angular 2 uses a basic http service with the uri of the localhost with the port number on which the web api runs on. I run the web api application and when the angular 2 tries to consume a Get request, I get this error message (22770 is the port of the web-api, 4200 is the port of the angular 2 application):
Failed to load http://localhost:22770/api/: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:4200' is therefore not allowed access.
Although this is quite a common question, mine is a little bit different:
CORS is defined as:
Cross-Origin Resource Sharing (CORS) is a mechanism that uses
additional HTTP headers to let a user agent gain permission to access
selected resources from a server on a different origin (domain) than
the site currently in use
BUT - I'm working with the same domain - on my local machine (localhost).
What is the problem and how can I solve it ?
OK - Investigated it a little bit and reached the reason for that error message when working on the same local host - It appears that a different port is considered as a different domain.
Exceptional addition I noticed:
"Internet Explorer does not consider the port when comparing origins"
You need to enable CORS (cross origin request) in your web api. Follow instruction given in below page
https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/enabling-cross-origin-requests-in-web-api
I see someone modified the net/http module to send chunked request.
That was 4 years ago. Can't that be done directly by the official net/http module without modification?
The net/http package automatically uses chunked encoding for request bodies when the content length is not known and the application did not explicitly set the transfer encoding to "identity". This feature dates back to the Go 1 release.
This question already has an answer here:
Which HTTP status code to say username or password were incorrect?
(1 answer)
Closed 5 years ago.
I am implementing an endpoint which offer some secret data and I want to make a simple verify mechanism. Which status should I response when user does not have the correct crediential?
400? 403? Or something else?
thanks.
You should use 403, HTTP status code 403 responses are the result of the web server being configured to deny access to the requested resource by the client.
See HTTP 403
You can use 401 if you intend to authenticate via www-authenticate header field. If the authentication information was incorrect or missing send 401.
Or use 403 to notify the sender of the request that he is not allowed to access the requestet content. According to the documentation the response should state the reason why the request was refused.
If you do not with to do so you could alternatively send a 404.
For further information see the linked Documentation.
w3.org http Protocol
EDIT: improved from link only answer.
Hi guys
As you know checking process of web pages content is a little different from static pages or personal files on our machines because content of Dynamic web pages are changed on each request. So if we are going to use checksums to identifying changes, We'll fail! very simple example is when site owner are use Google Ads on him website; on each request Ads are different from previous. Also if we are going to cache only on period time, also We'll fail, because some web pages aren't updated every years but some are every minutes (if not seconds).
So what is better approach to solve this issue? (Thanks)
UPDATE
Another option is use of LastModified http-header! but this is strong approach?
Browsers do this automatically with the help of the several caching mechanisms that HTTP provides. The two mechanisms most obviously useful for determining whether a page has changed is the concept of Entity Tags and the Last Modified HTTP header. These mechanisms allow the browser to make conditional requests to a web site, eg. fetch a page only if it has been changed.
Quoting RFC 2616 on HTTP 1.1:
3.11 Entity Tags
Entity tags are used for comparing two or more entities from the same
requested resource. HTTP/1.1 uses entity tags in the ETag (section
14.19), If-Match (section 14.24), If-None-Match (section 14.26), and
If-Range (section 14.27) header fields. The definition of how they
are used and compared as cache validators is in section 13.3.3. An
entity tag consists of an opaque quoted string, possibly prefixed by
a weakness indicator.
The key point here is that the ETag is a cache validator. If a browser has a cached version of a page (called a resource in the RFC), it can use the ETag to determine whether the cached page is still valid, ie. if the page hasn't changed on the server.
And about the modification date:
14.25 If-Modified-Since
The If-Modified-Since request-header field is used with a method to
make it conditional: if the requested variant has not been modified
since the time specified in this field, an entity will not be
returned from the server; instead, a 304 (not modified) response will
be returned without any message-body.
The key point here is that the server may know when a page has been modified, and may then inform the client.
If you open a HTTP monitor (such as Fiddler for Windows) and watch your browser communicate with web sites, you'll see the use of these mechanisms first-hand when the browser makes conditional requests.
To specifically address your question about the Last Modified header, this header in itself won't work for the majority of pages you'll find. But in combination with the ETag it can get you started.