Expose 'Date' header to assist with error rate limits
Opened this issue · 0 comments
Feature Request
Expose Date
header in responses by adding it to Access-Control-Expose-Headers
.
Use case
To guarantee we obey the ESI error rate limits, two headers are returned with every response: X-Esi-Error-Limit-Remain
and X-Esi-Error-Limit-Reset
.
The former represents how many errors a client still has available before being throttled/blocked, while the latter represents the number of seconds until the limit is reset.
To determine the most recent response we need to rely on the timestamp of each response, but these are not available due to CORS.
Applications running in a browser will see cached responses where the values of these headers should be ignored. Unfortunately, there is no reliable mechanism to distinguish responses are cached from those that aren't, thus making it hard to guarantee rate limits are obeyed:
![Screenshot_2023-06-21_at_12 15 44](https://private-user-images.githubusercontent.com/1539767/248454886-6049530f-4ad4-4686-abcf-ffd9d4cebc4d.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjIyMzcwMDQsIm5iZiI6MTcyMjIzNjcwNCwicGF0aCI6Ii8xNTM5NzY3LzI0ODQ1NDg4Ni02MDQ5NTMwZi00YWQ0LTQ2ODYtYWJjZi1mZmQ5ZDRjZWJjNGQucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI0MDcyOSUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNDA3MjlUMDcwNTA0WiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9MGU1ZmNkY2U0OGQzZWFkZTk3ZDdiY2RkYzE0YTg2ZjU2YWI5MzAyNjE3YTlkZTQ1OTM3NzIwNzgzNWQ3NTIwMSZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.VZudz-34fQ5kbWNb2nvsjPeijWE4NG8Wsdqh0F1VD-M)
Exposing the Date
response header allows to establish a total-order on the responses, which allows to infer the state of the error limit mechanism on the server, overcoming the challenges of dealing with caching, concurrent requests and multi-tenancy (multiple distinct applications behind the same IP).
Example return
Header Access-Control-Expose-Headers
includes Date
Checklist
Check all boxes that apply to this issue:
- Feature request description is provided
- Use case exists
- Feature requires a new route
- Feature adds data to existing route
- Feature requires new auth scope
- Feature can reuse existing scope
- Feature does not require auth
- Meta feature, applies to all routes