Discover cache: switch from public to private

Self-review nit on b0e7dae. Discover data is user-specific (hero
artists from your watchlist, similar artists from your taste,
recently-played derivations, etc.) — `Cache-Control: public` would let
intermediate proxies (corporate caching proxy, Cloudflare with cache
rules, Nginx with proxy_cache) store one user's response and serve
it to another. Privacy leak.

Switched to `private, max-age=300`. Browser-only cache, proxies skip.
Static assets stay `public` (shared content — everyone gets the same
library.js). Streaming and backup endpoints already correct
(`no-cache` and `no-store` respectively).

603 tests pass.
This commit is contained in:
Broque Thomas 2026-04-26 21:27:46 -07:00
parent b0e7dae7c6
commit 5d9e5e5781

View file

@ -325,6 +325,12 @@ def _add_discover_cache_headers(response):
Scope: only `/api/discover/` and `/api/discovery/` paths, only GET,
only successful 2xx responses. Any endpoint that explicitly sets
its own Cache-Control wins (we don't override).
Uses `private` not `public` because discover data is user-specific
(hero artists from your watchlist, similar artists from your taste,
etc.). `private` keeps it browser-only intermediate proxies
(corporate caching proxies, Cloudflare with cache rules, Nginx
proxy_cache) won't store one user's response and serve it to another.
"""
try:
if request.method != 'GET':
@ -336,7 +342,7 @@ def _add_discover_cache_headers(response):
return response
if response.headers.get('Cache-Control'):
return response
response.headers['Cache-Control'] = 'public, max-age=300'
response.headers['Cache-Control'] = 'private, max-age=300'
except Exception as exc:
# Don't let a header-tagging bug turn a successful response into
# a 500 — log and ship the response without the cache header.