Photo by CHUTTERSNAP on Unsplash
Danger of using Cache Everything with Edge Cache TTL in CloudFlare
Not understanding cache control headers can lead to security loop holes
Recently one of our customers came to us with an urgent problem to fix. They have a Drupal website with CloudFlare as the CDN. Recently it seems that admin users were seeing each other's account when they log in.
I did a quick investigation and suspected that the problem was due to CloudFlare cache. Typically Drupal cache-control
headers and CloudFlare cf-cache-status
are as follow:
cache-control: must-revalidate, no-cache, private
cf-cache-status: DYNAMIC
CloudFlare does not cache Drupal pages because it of the presence of cookies, whether the user is logged in or not. Thus cf-cache-status
is always DYNAMIC
which means the page is a dynamic content and not eligible for cache in CloudFlare.
What I noticed was that cf-cache-status
was shown as HIT
which is odd:
cache-control: must-revalidate, no-cache, private
cf-cache-status: HIT
When I logged into the customer's CloudFlare account, I noticed this new Page Rule:
The customer has create a page rule to cache pages probably because they felt the website was slow. Besides forcing Drupal to cache everything, they also decided that the Edge Cache TTL can be set to a day since their content does not change that often.
Setting CloudFlare to Cache Everything does not mean CloudFlare will really cache everything. It will still not cache dynamic pages such as Drupal pages since the pages contain cookies that are specific to individual users. CloudFlare will only cache assets such as images, fonts and static files like CSS.
However, by activating Edge Cache TTL, CloudFlare will remove cookies from pages. This means the Drupal pages will be cached but without cookies. This is the root of why admin users are seeing each other's account and clearly warned in the CloudFlare documentation. I quickly turned off this rule and the problem was resolved.