Can visitors of my NextJS site control the cache behavior within NextJS?
Unanswered
Irish Red and White Setter posted this in #help-forum
Irish Red and White SetterOP
From what I can tell, NextJS can return cached data and content, but, if you request with the header
In essence, a requester can control behavior behind the scenes, so to say.
Am I missing something here or is this a recipe for empowering DDOS attacks against yourself?
cache-control: max-age=0 you essentially tell the backend to ignore cached data and force new data to be fetched/generated.In essence, a requester can control behavior behind the scenes, so to say.
Am I missing something here or is this a recipe for empowering DDOS attacks against yourself?
6 Replies
Sun bear
Caching and DDOS protection are two different things. You cache to save on computing power when receiving legitimate requests.
DDOS protection should be in it's own layer and has nothing to do with caching.
DDOS protection should be in it's own layer and has nothing to do with caching.
Irish Red and White SetterOP
@Sun bear Aha, so in that case one would need a DDOS protection that blocks any request that supplies a
cache-control header, correct?Sun bear
no, in a case of a ddos attack even if you are just sending the cached data you would still be vulnerable to downtime since the server cannot really keep up with the number of requests. but you can block cache-control header in the network layer if you want.
Irish Red and White SetterOP
@Sun bear
Ok. My example was bad, sorry, I am not really focused on the DDOS part of the equation. I should not have mentioned the word DDOS.
My main question is whether or not I am understanding correctly that the headers sent by a client request have this much power or not.
One could set up a website under the impression that one has designed a good architecture using cache revalidate times for your internal NextJS
But then all it takes is one rogue requestor - malicious or not - to make many requests that now suddenly bypasses your designed caching approach.
It sounds a bit weird to me which is why I am questioning if I am understanding NextJS correctly or not.
Ok. My example was bad, sorry, I am not really focused on the DDOS part of the equation. I should not have mentioned the word DDOS.
My main question is whether or not I am understanding correctly that the headers sent by a client request have this much power or not.
One could set up a website under the impression that one has designed a good architecture using cache revalidate times for your internal NextJS
fetch calls and thus expect a certain load on your backend API for example.But then all it takes is one rogue requestor - malicious or not - to make many requests that now suddenly bypasses your designed caching approach.
It sounds a bit weird to me which is why I am questioning if I am understanding NextJS correctly or not.
Sun bear
I don't think you can, but maybe I'm wrong.
It's probably in the docs somewhere here: https://nextjs.org/docs/app/building-your-application/caching