Tools/Cache Inspector

Caching Behavior Inspector

Each endpoint is fetched twice to verify cache behavior. The verdict shows whether the CDN behaved as expected.

CDN:

HITMISSSTALEBYPASS304PRIVATE

No Cache/api/no-cache

no-store, no-cache, must-revalidate · Always BYPASS/DYNAMIC - never cached

Short TTL (10s)/api/short-cache

s-maxage=10 · CloudFront disabled for /api/*: expect MISS on CF (origin may still hit)

Long TTL (1 hour)/api/long-cache

s-maxage=3600 · CloudFront disabled for /api/*: expect MISS on CF (origin may still hit)

Immutable (1 year)/api/immutable

immutable, max-age=31536000 · CloudFront disabled for /api/*: expect MISS on CF (origin may still hit)

Stale-While-Revalidate/api/swr-cache

s-maxage=10, stale-while-revalidate=60 · CloudFront disabled for /api/*: expect MISS on CF (origin may still hit)

ETag Validation/api/etag

ETag + must-revalidate · May return 304 Not Modified

Sets Cookie/api/sets-cookie

Response includes Set-Cookie header · BYPASS/DYNAMIC - CDNs refuse to cache

Vary: Cookie/api/varies-by-cookie

Vary: Cookie header · May cache per cookie value

Private (Auth)/api/private-with-cookie

private, no-store · Never cached by CDN

Private Cache/api/private-cache

private, max-age=60 · Browser can cache, CDN cannot

SVG Image/next.svg

Static asset from /public · 1st: MISS, 2nd: HIT

Another SVG/vercel.svg

Static asset from /public · 1st: MISS, 2nd: HIT

Static Path Probe/static/cache-probe.txt

Deterministic file under /static/* CloudFront behavior · 1st: MISS, 2nd: HIT

Shared TTL Candidate/assets/cache-lab?cc=public,%20s-maxage=2,%20stale-while-revalidate=4,%20max-age=0,%20must-revalidate

Public shared-cache directives under static path behavior · Expected to cache on static behavior

No-Store Under Static Policy/assets/cache-lab?cc=no-store,%20no-cache,%20must-revalidate

Detects MinTTL/DefaultTTL overrides in static behavior policy · Should not cache unless behavior policy enforces it

A/B Cookie Replay (No Vary)/assets/cache-lab?cc=public,%20s-maxage=30,%20max-age=0&identityBy=cookie%3Auser-id

A and B differ only by non-allowlisted cookie · B should never receive A identity hash

1st: cookie user-id=user-a · 2nd: cookie user-id=user-b

A/B Vary:Cookie Replay/assets/cache-lab?cc=public,%20s-maxage=30,%20max-age=0&vary=Cookie&identityBy=cookie%3Auser-id

CloudFront ignores Vary unless cookie is in cache policy key · B should never receive A identity hash

1st: cookie user-id=user-a · 2nd: cookie user-id=user-b

A/B __vdpl Keyed Cookie/assets/cache-lab?cc=public,%20s-maxage=30,%20max-age=0&identityBy=cookie%3A__vdpl

__vdpl is allowlisted in static cache key · B should receive B identity hash

1st: cookie __vdpl=vdpl-user-a · 2nd: cookie __vdpl=vdpl-user-b

A/B x-deployment-id Keyed Header/assets/cache-lab?cc=public,%20s-maxage=30,%20max-age=0&identityBy=header%3Ax-deployment-id

x-deployment-id is allowlisted in static cache key · B should receive B identity hash

1st: x-deployment-id: dpl_user_a · 2nd: x-deployment-id: dpl_user_b

A/B Authorization Replay/assets/cache-lab?cc=public,%20s-maxage=30,%20max-age=0&vary=Authorization&identityBy=authorization

A and B differ only by Authorization header · B should never receive A auth identity hash

1st: authorization: Bearer user-a-token · 2nd: authorization: Bearer user-b-token

Auth Guard (force no-store)/assets/cache-lab?cc=public,%20s-maxage=30,%20max-age=0&identityBy=authorization&forceNoStoreOnAuth=1

Endpoint forces private,no-store when Authorization exists · Should not cache and should not replay identities

1st: authorization: Bearer user-a-token · 2nd: authorization: Bearer user-b-token

Shared TTL Candidate/api/cache-lab?cc=public,%20s-maxage=2,%20stale-while-revalidate=4,%20max-age=0,%20must-revalidate

Public shared-cache directives · CloudFront disabled for /api/*: expect MISS on CF

Explicit No-Store/api/cache-lab?cc=no-store,%20no-cache,%20must-revalidate

Hard no-store response · Should not cache

Set-Cookie + Shared TTL/api/cache-lab?cc=public,%20s-maxage=30,%20max-age=0&setCookie=1

Response sets a cookie while advertising shared caching · Should not be safely shared by CDN

A/B Cookie Replay Probe/api/cache-lab?cc=public,%20s-maxage=30,%20max-age=0&vary=Cookie&identityBy=cookie%3Auser-id

A request and B request differ only by cookie identity · B should never receive A identity hash

1st: cookie user-id=user-a · 2nd: cookie user-id=user-b

A/B Auth Replay Probe/api/cache-lab?cc=public,%20s-maxage=30,%20max-age=0&vary=Authorization&identityBy=authorization

A request and B request differ only by Authorization · B should never receive A auth identity hash

1st: authorization: Bearer user-a-token · 2nd: authorization: Bearer user-b-token

Auth Guard (force no-store)/api/cache-lab?cc=public,%20s-maxage=30,%20max-age=0&identityBy=authorization&forceNoStoreOnAuth=1

Endpoint dynamically forces private,no-store when Authorization exists · Should not cache and should not replay identities

1st: authorization: Bearer user-a-token · 2nd: authorization: Bearer user-b-token

Cache headers: CloudFront → x-cache, x-amz-cf-pop · Vercel → x-vercel-cache