Caching

Data & Formats Security Notes Jan 6, 2025 HTTP

Definition

Have you ever noticed how the second time you visit a website, it loads much faster than the first time? That’s caching at work. Caching is the practice of storing copies of data in a temporary location so you don’t have to fetch it from the original source every time you need it.

Think about what happens when you request information from an API. Your request travels across the internet to a server, the server queries a database, processes the data, and sends it back to you. All of that takes time - sometimes a lot of time. Now imagine thousands of users making the same request for the same data. Without caching, the server would repeat this entire process for each request, wasting resources and making everyone wait.

Caching solves this by keeping a copy of frequently requested data closer to where it’s needed. This can happen at multiple levels: your browser can cache data so it doesn’t need to ask the server again, a CDN (Content Delivery Network) can cache data geographically close to users, or the server itself can cache database results so it doesn’t need to query the database repeatedly. The result is dramatically faster responses and reduced load on your systems.

Example

E-commerce Product Listings: When you browse Amazon, the product catalog doesn’t change every second. So instead of querying the database for every visitor, Amazon caches product information. When you view a popular item that thousands of people are looking at simultaneously, everyone sees the cached version rather than hammering the database with identical queries.

Weather Apps: Your weather app doesn’t need to check the actual weather station every time you open it. The weather data might be cached with a 15-minute expiration, meaning the app shows you slightly old (but still accurate) data instantly rather than making you wait for a fresh check.

Social Media Feeds: When you scroll through Instagram, you’re seeing cached content. Your feed was pre-computed and cached so it loads instantly when you open the app, rather than calculating what to show you in real-time every single time.

News Websites: Major news sites like CNN cache their homepage content. When breaking news hits and millions of people visit simultaneously, they all see the cached version, preventing the servers from collapsing under the load.

API Rate Limits: Google Maps API responses are often cached because the directions from your home to work don’t change minute-to-minute. Why waste API calls (and money) requesting the same route repeatedly when a cached response works fine?

Analogy

The Desk vs. The Library: Imagine you’re writing a research paper. You could walk to the library every time you need to check a fact, wait in line, find the book, look up the information, and walk back. Or you could keep the most useful books on your desk. The books on your desk are your “cache” - they’re copies of information stored closer to where you need them. You only go to the library when you need something that isn’t on your desk.

The Coffee Shop Regular: Think about a coffee shop that has regular customers. A smart barista remembers that you always order a large oat milk latte. When they see you walk in, they start making it before you even reach the counter. They’ve “cached” your order in their memory, making service faster for everyone. If you suddenly want something different, no problem - they just make the new order and update their mental cache.

The Supermarket Stockroom: A supermarket doesn’t go to the farm every time you want to buy milk. They keep inventory (a cache) in the store and stockroom. The shelves are the “hot cache” (frequently accessed items right where customers need them), the stockroom is the “warm cache” (backup inventory), and the farm is the “origin” (the actual source). This layered approach means you almost always get your milk instantly.

Meal Prep Sunday: When you prep meals for the whole week on Sunday, you’re essentially caching your dinners. Instead of cooking from scratch every night (querying the “database”), you just reheat what you prepared (serving from cache). It saves time and effort, though you need to throw out old meals before they spoil (cache expiration).

Code Example


// Response with cache headers
[HTTP/1.1](https://reference.apios.info/terms/http-1-1/) 200 OK
Cache-Control: public, max-age=3600
ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4"

// Client-side cache validation
GET /api/products HTTP/1.1
If-None-Match: "33a64df551425fcc55e4d42a148795d9f25f89d4"

// 304 Not Modified - use cached version
HTTP/1.1 304 Not Modified

Security Notes

SECURITY NOTES

IMPORTANT: Improper caching can expose sensitive data or enable cache poisoning attacks.

Sensitive Data Protection:

  • Never cache sensitive data: Do NOT cache passwords, tokens, API keys, or PII without explicit controls
  • Cache-Control: private: Mark user-specific data as private (only client can cache, not CDNs)
  • Cache-Control: no-store: Use no-store for highly sensitive data (forces no caching anywhere)
  • Access controls: If caching sensitive data, verify clients can only access their own cached data

User-Specific Data:

  • Isolate by user: Never cache shared data with user-specific information mixed in
  • Per-user cache keys: Include user ID in cache key to prevent serving one user’s cache to another
  • Validate permissions: Check user permissions before returning cached data
  • Expiration timing: Use shorter TTLs for sensitive data; longer for public content

Cache Poisoning Prevention:

  • Input validation: Validate and sanitize inputs before caching responses
  • Cache key construction: Use strong cache keys; don’t allow attacker control
  • Source validation: Verify response comes from legitimate source before caching
  • Header validation: Don’t blindly trust Cache-Control headers from untrusted sources
  • Mutability awareness: Don’t cache mutable objects; cache snapshots instead

Shared Cache (CDN) Security:

  • Mark private: Use Cache-Control: private for user-specific responses
  • Geographic caching: Be aware of which geographic regions cache which content
  • Surrogate key validation: If using surrogate keys for cache invalidation, protect key access
  • Headers stripping: CDNs strip some headers; verify sensitive headers aren’t exposed

Cache Invalidation:

  • Timely invalidation: Invalidate caches quickly when data changes
  • Event-driven invalidation: Trigger cache invalidation on data mutations
  • Purge on logout: Clear user-specific cached data on logout
  • Security update invalidation: Immediately invalidate affected caches after security patches

Protocol-Specific:

  • HTTP caching headers: Use Cache-Control: public/private, max-age, s-maxage consistently
  • HTTPS only: Don’t cache over HTTP; use HTTPS to prevent MITM attacks on cached data
  • ETag validation: Use ETags for conditional requests to reduce sensitive data exposure
  • Vary header: Use Vary header to account for different request characteristics (auth, accept-encoding)

Monitoring:

  • Cache hit rates: Monitor to detect poisoning attempts (unusual hit ratios)
  • Stale content: Alert on unexpectedly stale cached content
  • Access patterns: Detect unusual cache access patterns indicating abuse

Standards & RFCs

Standards & RFCs
1)RFC 9111- HTTP Caching (obsoletes )
2)RFC 7234- HTTP/1.1 Caching (obsoleted, but widely referenced)
3)RFC 5861- HTTP Cache-Control Extensions for Stale Content