diff --git a/en/02_Developer_Guides/08_Performance/02_HTTP_Cache_Headers.md b/en/02_Developer_Guides/08_Performance/02_HTTP_Cache_Headers.md index eec795a12..3193eacc3 100644 --- a/en/02_Developer_Guides/08_Performance/02_HTTP_Cache_Headers.md +++ b/en/02_Developer_Guides/08_Performance/02_HTTP_Cache_Headers.md @@ -228,11 +228,24 @@ By default, Silverstripe CMS will output a `Vary` header with the following cont Vary: X-Forwarded-Protocol ``` -To change the value of the `Vary` header, you can change this value by specifying the header in configuration. +> [!IMPORTANT] +> For historical reasons the default vary header is `X-Forwarded-Protocol` instead of the standard `X-Forwarded-Proto`. +> If you are using a CDN or proxy which relies on `X-Forwarded-Proto` to determine the protocol of the request, you should change the default vary header to `X-Forwarded-Proto` to ensure that cached content is correctly served over both HTTP and HTTPS. + +To change the value of the `Vary` header, you can change this value by disabling the old header and specifying the new header in configuration: ```yml -SilverStripe\Control\HTTP: - vary: "" +SilverStripe\Control\Middleware\HTTPCacheControlMiddleware: + defaultVary: + X-Forwarded-Protocol: false + X-Forwarded-Proto: true +``` + +You can also remove the default `Vary` header value by setting it to `null`: + +```yml +SilverStripe\Control\Middleware\HTTPCacheControlMiddleware: + defaultVary: null ``` Note that if you use `Director::is_ajax()` on cached pages diff --git a/en/02_Developer_Guides/09_Security/05_Secure_Coding.md b/en/02_Developer_Guides/09_Security/05_Secure_Coding.md index d9580a272..64a77ea14 100644 --- a/en/02_Developer_Guides/09_Security/05_Secure_Coding.md +++ b/en/02_Developer_Guides/09_Security/05_Secure_Coding.md @@ -762,13 +762,21 @@ If you wish to change the headers that are used to find the proxy information, y `TrustedProxyMiddleware` service: ```yml -SilverStripe\Control\TrustedProxyMiddleware: - properties: - ProxyHostHeaders: X-Forwarded-Host - ProxySchemeHeaders: X-Forwarded-Protocol - ProxyIPHeaders: X-Forwarded-Ip +SilverStripe\Core\Injector\Injector: + SilverStripe\Control\Middleware\TrustedProxyMiddleware: + properties: + ProxyHostHeaders: + - X-Forwarded-Host + ProxySchemeHeaders: + - X-Forwarded-Proto + - X-Forwarded-Protocol + ProxyIPHeaders: + - X-Forwarded-Ip ``` +Scheme headers are checked in order, so `X-Forwarded-Proto` is preferred with `X-Forwarded-Protocol` as a legacy +fallback. If neither header is present, Silverstripe CMS falls back to the standard HTTPS and SSL server variables. + ## TLS (aka SSL aka HTTPS) Silverstripe CMS recommends the use of TLS (HTTPS) for your application. You can configure this by setting the `ForceSSL` property on the [`CanonicalURLMiddleware`](api:SilverStripe\Control\Middleware\CanonicalURLMiddleware) singleton.