Vary: Cookie Header
elithrar opened this issue · 2 comments
The middleware should set a Vary: Cookie header on CSRF protected pages to force proxies to never cache the page. This should, in most cases, override any Cache-Control or ETag headers set otherwise down the line.
The Django docs cover this nicely, as do the Varnish docs.
Note that in many cases good proxies won't cache the page anyway, but it's worth being sure.
PS: I can send a PR for this, but since it's effectively a one-liner prior to passing the handler, I figured it's probably easier for you to include in your next update/change.
A good catch! I guess this doesn't even need a setting (on/off), since it will always be set before the original handler. In case the app doesn't like the header, it can just override it.