docs/manual/compliance.html.en

	compliance.html.en revision d29d9ab4614ff992b0e8de6e2b88d52b6f1f153e
6ae232055d4d8a97267517c5e50074c2c819941and<?xml version="1.0" encoding="ISO-8859-1"?>
6ae232055d4d8a97267517c5e50074c2c819941and<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
6ae232055d4d8a97267517c5e50074c2c819941and<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
6ae232055d4d8a97267517c5e50074c2c819941and        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
6ae232055d4d8a97267517c5e50074c2c819941and              This file is generated from xml source: DO NOT EDIT
6ae232055d4d8a97267517c5e50074c2c819941and        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
6ae232055d4d8a97267517c5e50074c2c819941and      -->
6ae232055d4d8a97267517c5e50074c2c819941and<title>HTTP Protocol Compliance - Apache HTTP Server</title>
6ae232055d4d8a97267517c5e50074c2c819941and<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
6ae232055d4d8a97267517c5e50074c2c819941and<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="/style/css/prettify.css" />
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen<script src="/style/scripts/prettify.js" type="text/javascript">
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen</script>
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen
6ae232055d4d8a97267517c5e50074c2c819941and<link href="/images/favicon.ico" rel="shortcut icon" /></head>
6ae232055d4d8a97267517c5e50074c2c819941and<body id="manual-page"><div id="page-header">
6ae232055d4d8a97267517c5e50074c2c819941and<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="/faq/">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p>
6ae232055d4d8a97267517c5e50074c2c819941and<p class="apache">Apache HTTP Server Version 2.5</p>
3f08db06526d6901aa08c110b5bc7dde6bc39905nd<img alt="" src="/images/feather.gif" /></div>
6ae232055d4d8a97267517c5e50074c2c819941and<div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="/images/left.gif" /></a></div>
6ae232055d4d8a97267517c5e50074c2c819941and<div id="path">
6ae232055d4d8a97267517c5e50074c2c819941and<a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs/">Documentation</a> &gt; <a href="./">Version 2.5</a></div><div id="page-content"><div id="preamble"><h1>HTTP Protocol Compliance</h1>
b43f840409794ed298e8634f6284741f193b6c4ftakashi<div class="toplang">
6ae232055d4d8a97267517c5e50074c2c819941and<p><span>Available Languages: </span><a href="/en/compliance.html" title="English">&nbsp;en&nbsp;</a></p>
6ae232055d4d8a97267517c5e50074c2c819941and</div>
6ae232055d4d8a97267517c5e50074c2c819941and
b43f840409794ed298e8634f6284741f193b6c4ftakashi    <p>This document describes the mechanism to set a policy for HTTP
6ae232055d4d8a97267517c5e50074c2c819941and    protocol compliance for a given URL space by the origin servers or
f086b4b402fa9a2fefc7dda85de2a3cc1cd0a654rjung    applications behind that URL space.</p>
6ae232055d4d8a97267517c5e50074c2c819941and
b43f840409794ed298e8634f6284741f193b6c4ftakashi    <p>For those who may have received an error message from a rejected
b43f840409794ed298e8634f6284741f193b6c4ftakashi    policy, and need to know what the policy rejection means and what
b43f840409794ed298e8634f6284741f193b6c4ftakashi    they might do to fix the error, each policy is described below.</p>
b43f840409794ed298e8634f6284741f193b6c4ftakashi  </div>
6ae232055d4d8a97267517c5e50074c2c819941and<div id="quickview"><ul id="toc"><li><img alt="" src="/images/down.gif" /> <a href="#intro">Enforcing HTTP Protocol Compliance in Apache 2</a></li>
6ae232055d4d8a97267517c5e50074c2c819941and<li><img alt="" src="/images/down.gif" /> <a href="#policyconditional">Conditional Request Policy</a></li>
6ae232055d4d8a97267517c5e50074c2c819941and<li><img alt="" src="/images/down.gif" /> <a href="#policylength">Content-Length Policy</a></li>
6ae232055d4d8a97267517c5e50074c2c819941and<li><img alt="" src="/images/down.gif" /> <a href="#policytype">Content-Type Policy</a></li>
6ae232055d4d8a97267517c5e50074c2c819941and<li><img alt="" src="/images/down.gif" /> <a href="#policykeepalive">Keepalive Policy</a></li>
6ae232055d4d8a97267517c5e50074c2c819941and<li><img alt="" src="/images/down.gif" /> <a href="#policymaxage">Freshness Lifetime / Maxage Policy</a></li>
6ae232055d4d8a97267517c5e50074c2c819941and<li><img alt="" src="/images/down.gif" /> <a href="#policynocache">No Cache Policy</a></li>
6ae232055d4d8a97267517c5e50074c2c819941and<li><img alt="" src="/images/down.gif" /> <a href="#policyvalidation">Validation Policy</a></li>
6ae232055d4d8a97267517c5e50074c2c819941and<li><img alt="" src="/images/down.gif" /> <a href="#policyvary">Vary Header Policy</a></li>
6ae232055d4d8a97267517c5e50074c2c819941and<li><img alt="" src="/images/down.gif" /> <a href="#policyversion">Protocol Version Policy</a></li>
6ae232055d4d8a97267517c5e50074c2c819941and</ul><h3>See also</h3><ul class="seealso"><li><a href="filter.html">Filters</a></li></ul></div>
6ae232055d4d8a97267517c5e50074c2c819941and<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
6ae232055d4d8a97267517c5e50074c2c819941and<div class="section">
6ae232055d4d8a97267517c5e50074c2c819941and<h2><a name="intro" id="intro">Enforcing HTTP Protocol Compliance in Apache 2</a></h2>
6ae232055d4d8a97267517c5e50074c2c819941and
6ae232055d4d8a97267517c5e50074c2c819941and    <table class="related"><tr><th>Related Modules</th><th>Related Directives</th></tr><tr><td><ul><li><code class="module"><a href="/mod/mod_policy.html">mod_policy</a></code></li></ul></td><td><ul><li><code class="directive"><a href="/mod/mod_policy.html#policyconditional">PolicyConditional</a></code></li><li><code class="directive"><a href="/mod/mod_policy.html#policylength">PolicyLength</a></code></li><li><code class="directive"><a href="/mod/mod_policy.html#policykeepalive">PolicyKeepalive</a></code></li><li><code class="directive"><a href="/mod/mod_policy.html#policytype">PolicyType</a></code></li><li><code class="directive"><a href="/mod/mod_policy.html#policyvary">PolicyVary</a></code></li><li><code class="directive"><a href="/mod/mod_policy.html#policyvalidation">PolicyValidation</a></code></li><li><code class="directive"><a href="/mod/mod_policy.html#policynocache">PolicyNocache</a></code></li><li><code class="directive"><a href="/mod/mod_policy.html#policymaxage">PolicyMaxage</a></code></li><li><code class="directive"><a href="/mod/mod_policy.html#policyversion">PolicyVersion</a></code></li></ul></td></tr></table>
6ae232055d4d8a97267517c5e50074c2c819941and
6ae232055d4d8a97267517c5e50074c2c819941and    <p>The HTTP protocol follows the <strong>robustness principle</strong>
1d980e5489836e977ba59b419e27b0ec875c4bd3takashi    as described in <a href="http://tools.ietf.org/html/rfc1122">RFC1122</a>,
6ae232055d4d8a97267517c5e50074c2c819941and    which states <strong>"Be liberal in what you accept, and conservative in
6ae232055d4d8a97267517c5e50074c2c819941and    what you send"</strong>. As a result of this principle, HTTP clients will
6ae232055d4d8a97267517c5e50074c2c819941and    compensate for and recover from incorrect or misconfigured responses, or
6ae232055d4d8a97267517c5e50074c2c819941and    responses that are uncacheable.</p>
6ae232055d4d8a97267517c5e50074c2c819941and
6ae232055d4d8a97267517c5e50074c2c819941and    <p>As a website is scaled up to face greater and greater traffic loads,
6ae232055d4d8a97267517c5e50074c2c819941and    suboptimal or misconfigured applications or server configurations can
6ae232055d4d8a97267517c5e50074c2c819941and    threaten both the stability and scalability of the website, as well as
6ae232055d4d8a97267517c5e50074c2c819941and    the hosting costs associated with it. A website can also scale up to face
6ae232055d4d8a97267517c5e50074c2c819941and    greater configuration complexity, and it can be increasingly difficult to
6ae232055d4d8a97267517c5e50074c2c819941and    detect and keep track of suboptimally configured URL spaces on a given
6ae232055d4d8a97267517c5e50074c2c819941and    server.</p>
6ae232055d4d8a97267517c5e50074c2c819941and
6ae232055d4d8a97267517c5e50074c2c819941and    <p>Eventually a point is reached where the principle "conservative in
6ae232055d4d8a97267517c5e50074c2c819941and    what you send" needs to be enforced by the server administrator.</p>
6ae232055d4d8a97267517c5e50074c2c819941and
6ae232055d4d8a97267517c5e50074c2c819941and    <p>The <code class="module"><a href="/mod/mod_policy.html">mod_policy</a></code> module provides a set of filters
6ae232055d4d8a97267517c5e50074c2c819941and    which can be applied to a server, allowing key features of the HTTP
6ae232055d4d8a97267517c5e50074c2c819941and    protocol to be explicitly tested, and non compliant responses logged as
6ae232055d4d8a97267517c5e50074c2c819941and    warnings, or rejected outright as an error. Each filter can be applied
6ae232055d4d8a97267517c5e50074c2c819941and    separately, allowing the administrator to pick and choose which policies
6ae232055d4d8a97267517c5e50074c2c819941and    should be enforced depending on the circumstances of their environment.
6ae232055d4d8a97267517c5e50074c2c819941and    </p>
6ae232055d4d8a97267517c5e50074c2c819941and
6ae232055d4d8a97267517c5e50074c2c819941and    <p>The filters might be placed in testing and staging environments for
6ae232055d4d8a97267517c5e50074c2c819941and    the benefit of application and website developers, or may be applied
6ae232055d4d8a97267517c5e50074c2c819941and    to production servers to protect infrastructure from systems outside
6ae232055d4d8a97267517c5e50074c2c819941and    the administrator's direct control.</p>
6ae232055d4d8a97267517c5e50074c2c819941and
6ae232055d4d8a97267517c5e50074c2c819941and    <p class="figure">
6ae232055d4d8a97267517c5e50074c2c819941and    <img src="images/compliance-reverse-proxy.png" width="666" height="239" alt="Enforcing HTTP protocol compliance for an application server" />
6ae232055d4d8a97267517c5e50074c2c819941and    </p>
6ae232055d4d8a97267517c5e50074c2c819941and
6ae232055d4d8a97267517c5e50074c2c819941and    <p>In the above example, an Apache httpd server has been placed between
6ae232055d4d8a97267517c5e50074c2c819941and    the application server and the internet at large, and configured to cache
6ae232055d4d8a97267517c5e50074c2c819941and    responses from the application server. The <code class="module"><a href="/mod/mod_policy.html">mod_policy</a></code>
6ae232055d4d8a97267517c5e50074c2c819941and    filters have been added to enforce support for cacheable content and
6ae232055d4d8a97267517c5e50074c2c819941and    conditional requests, ensuring that both <code class="module"><a href="/mod/mod_cache.html">mod_cache</a></code> and
6ae232055d4d8a97267517c5e50074c2c819941and    public caches on the internet are fully able to cache content created
6ae232055d4d8a97267517c5e50074c2c819941and    by the restful application server efficiently.</p>
6ae232055d4d8a97267517c5e50074c2c819941and
6ae232055d4d8a97267517c5e50074c2c819941and    <p class="figure">
6ae232055d4d8a97267517c5e50074c2c819941and    <img src="images/compliance-static.png" width="469" height="239" alt="Enforcing HTTP protocol compliance in a static server" />
6ae232055d4d8a97267517c5e50074c2c819941and    </p>
6ae232055d4d8a97267517c5e50074c2c819941and
b43f840409794ed298e8634f6284741f193b6c4ftakashi    <p>In the above simpler example, a static server serving highly cacheable
6ae232055d4d8a97267517c5e50074c2c819941and    content has a set of policies applied to ensure that the server configuration
f086b4b402fa9a2fefc7dda85de2a3cc1cd0a654rjung    conforms to a minimum level of compliance.</p>
6ae232055d4d8a97267517c5e50074c2c819941and
b43f840409794ed298e8634f6284741f193b6c4ftakashi  </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd<div class="section">
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd<h2><a name="policyconditional" id="policyconditional">Conditional Request Policy</a></h2>
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd    <table class="related"><tr><th>Related Modules</th><th>Related Directives</th></tr><tr><td><ul><li><code class="module"><a href="/mod/mod_policy.html">mod_policy</a></code></li></ul></td><td><ul><li><code class="directive"><a href="/mod/mod_policy.html#policyconditional">PolicyConditional</a></code></li></ul></td></tr></table>
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd
6ae232055d4d8a97267517c5e50074c2c819941and    <p>This policy will be rejected if the server does not correctly respond
    to a conditional request with the appropriate status code.</p>

    <p>Conditional requests form the mechanism by which an HTTP cache makes
    stale content fresh again, and particularly for content with short freshness
    lifetimes, lack of support for conditional requests can add avoidable load
    to the server.</p>

    <p>Most specifically, the existence of any of following headers in the
    request makes the request conditional:</p>

    <dl>
    <dt><code>If-Match</code></dt>
    <dd>If the provided ETag in the <code>If-Match</code> header does not match
    the ETag of the response, the server should return
    <code>412 Precondition Failed</code>. Full details of how to handle an
    <code>If-Match</code> header can be found in
    <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.24">
    RFC2616 section 14.24</a>.</dd>

    <dt><code>If-None-Match</code></dt>
    <dd>If the provided ETag in the <code>If-None-Match</code> header matches
    the ETag of the response, the server should return either
    <code>304 Not Modified</code> for GET/HEAD requests, or
    <code>412 Precondition Failed</code> for other methods. Full details of how
    to handle an <code>If-None-Match</code> header can be found in
    <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.26">
    RFC2616 section 14.26</a>.</dd>

    <dt><code>If-Modified-Since</code></dt>
    <dd>If the provided date in the <code>If-Modified-Since</code> header is
    older than the <code>Last-Modified</code> header of the response, the server
    should return <code>304 Not Modified</code>. Full details of how to handle an
    <code>If-Modified-Since</code> header can be found in
    <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.25">
    RFC2616 section 14.25</a>.</dd>

    <dt><code>If-Unmodified-Since</code></dt>
    <dd>If the provided date in the <code>If-Modified-Since</code> header is
    newer than the <code>Last-Modified</code> header of the response, the server
    should return <code>412 Precondition Failed</code>. Full details of how to
    handle an <code>If-Unmodified-Since</code> header can be found in
    <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.28">
    RFC2616 section 14.28</a>.</dd>

    <dt><code>If-Range</code></dt>
    <dd>If the provided ETag or date in the <code>If-Range</code> header matches
    the ETag or Last-Modified of the response, and a valid <code>Range</code>
    is present, the server should return
    <code>206 Partial Response</code>. Full details of how to handle an
    <code>If-Range</code> header can be found in
    <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.27">
    RFC2616 section 14.27</a>.</dd>

    </dl>

    <p>If the response is detected to have been successful (a 2xx response),
    but was conditional and one of the responses above was expected instead,
    this policy will be rejected. Responses that indicate a redirect or a
    failure of some kind (3xx, 4xx, 5xx) will be ignored by this policy.</p>

    <p>This policy is implemented by the <strong>POLICY_CONDITIONAL</strong>
    filter.</p>

  </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
<div class="section">
<h2><a name="policylength" id="policylength">Content-Length Policy</a></h2>

    <table class="related"><tr><th>Related Modules</th><th>Related Directives</th></tr><tr><td><ul><li><code class="module"><a href="/mod/mod_policy.html">mod_policy</a></code></li></ul></td><td><ul><li><code class="directive"><a href="/mod/mod_policy.html#policylength">PolicyLength</a></code></li></ul></td></tr></table>

    <p>This policy will be rejected if the server response does not contain
    an explicit <code>Content-Length</code> header.</p>

    <p>There are a number of ways of determining the length of a response
    body, described in full in
    <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec4.4">
    RFC2616 section 4.4 Message Length</a>.</p>

    <p>When the <code>Content-Length</code> header is present, the size of
    the body is declared at the start of the response. If this information
    is missing, an HTTP cache might choose to ignore the response, as it
    does not know in advance whether the response will fit within the
    cache's defined limits.</p>

    <p>HTTP/1.1 defines the <code>Transfer-Encoding</code> header as an
    alternative to <code>Content-Length</code>, allowing the end of the
    response to be indicated to the client without the client having to
    know the length beforehand. However, when HTTP/1.0 requests are
    processed, and no <code>Content-Length</code> is specified, the only
    mechanism available to the server to indicate the end of the request
    is to drop the connection. In an environment containing load
    balancers, this can cause the keepalive mechanism to be bypassed.
    </p>

    <p>If the response is detected to have been successful (a 2xx response),
    and has a response body (this excludes <code>204 No Content</code>), and
    the <code>Content-Length</code> header is missing, this policy will be
    rejected. Responses that indicate a redirect or a failure of some kind
    (3xx, 4xx, 5xx) will be ignored by this policy.</p>

    <div class="warning">It should be noted that some modules, such as
    <code class="module"><a href="/mod/mod_proxy.html">mod_proxy</a></code>, add their own <code>Content-Length</code>
    header should the response be small enough for it to have been possible
    to read the response lacking such a header in one go. This may cause
    small responses to pass this policy, while larger responses may
    fail for the same URL.</div>

    <p>This policy is implemented by the <strong>POLICY_LENGTH</strong>
    filter.</p>

  </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
<div class="section">
<h2><a name="policytype" id="policytype">Content-Type Policy</a></h2>

    <table class="related"><tr><th>Related Modules</th><th>Related Directives</th></tr><tr><td><ul><li><code class="module"><a href="/mod/mod_policy.html">mod_policy</a></code></li></ul></td><td><ul><li><code class="directive"><a href="/mod/mod_policy.html#policytype">PolicyType</a></code></li></ul></td></tr></table>

    <p>This policy will be rejected if the server response does not contain
    an explicit and syntactically correct <code>Content-Type</code> header
    that matches the server defined pattern.</p>

    <p>The media type of the body is placed in the <code>Content-Type</code>
    header, and the format of the header is described in full in
    <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec3.7">
    RFC2616 section 3.7 Media Types</a>.</p>

    <p>A syntactically valid content type might look as follows:</p>

    <div class="example"><p><code>
      Content-Type: text/html; charset=iso-8859-1
    </code></p></div>

    <p>Invalid content types might include:</p>

    <div class="example"><p><code>
      # invalid<br />
      Content-Type: foo<br />
      # blank<br />
      Content-Type:
    </code></p></div>

    <p>The server administrator has the option to restrict the policy to one
    or more specific types, or could specify a general wildcard type such as
    <code>*/*</code>.</p>

    <p>This policy is implemented by the <strong>POLICY_TYPE</strong>
    filter.</p>

  </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
<div class="section">
<h2><a name="policykeepalive" id="policykeepalive">Keepalive Policy</a></h2>

    <table class="related"><tr><th>Related Modules</th><th>Related Directives</th></tr><tr><td><ul><li><code class="module"><a href="/mod/mod_policy.html">mod_policy</a></code></li></ul></td><td><ul><li><code class="directive"><a href="/mod/mod_policy.html#policykeepalive">PolicyKeepalive</a></code></li></ul></td></tr></table>

    <p>This policy will be rejected if the server response does not contain
    an explicit <code>Content-Length</code> header, or a
    <code>Transfer-Encoding</code> of chunked.</p>

    <p>There are a number of ways of determining the length of a response
    body, described in full in
    <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec4.4">
    RFC2616 section 4.4 Message Length</a>.</p>

    <p>When the <code>Content-Length</code> header is present, the size of
    the body is declared at the start of the response. HTTP/1.1 defines the
    <code>Transfer-Encoding</code> header as an alternative to
    <code>Content-Length</code>, allowing the end of the response to be
    indicated to the client without the client having to know the length
    beforehand. In the absence of these two mechanisms, the only way for
    a server to indicate the end of the request is to drop the connection.
    In an environment containing load balancers, this can cause the keepalive
    mechanism to be bypassed.
    </p>

    <p>Most specifically, we follow these rules:</p>

    <dl>
    <dt>IF</dt>
    <dd>we have not marked this connection as errored;</dd>

    <dt>and</dt>
    <dd>the client isn't expecting 100-continue</dd>

    <dt>and</dt>
    <dd>the response status does not require a close;</dd>

    <dt>and</dt>
    <dd>the response body has a defined length due to the status code
    being 304 or 204, the request method being HEAD, already having defined
    Content-Length or Transfer-Encoding: chunked, or the request version
    being HTTP/1.1 and thus capable of being set as chunked</dd>

    <dt>THEN</dt>
    <dd>we support keepalive.</dd>
    </dl>

    <div class="warning">The server may choose to turn off keepalive for
    various reasons, such as an imminent shutdown, or a Connection: close from
    the client, or an HTTP/1.0 client request with a response with no
    <code>Content-Length</code>, but for our purposes we only care that
    keepalive was possible from the application, not that keepalive actually
    took place.</div>

    <p>It should also be noted that the Apache httpd server includes a filter
    that adds chunked encoding to responses without an explicit content
    length. This policy catches those cases where this filter is bypassed or
    not in effect.</p>

    <p>This policy is implemented by the <strong>POLICY_KEEPALIVE</strong>
    filter.</p>

  </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
<div class="section">
<h2><a name="policymaxage" id="policymaxage">Freshness Lifetime / Maxage Policy</a></h2>

    <table class="related"><tr><th>Related Modules</th><th>Related Directives</th></tr><tr><td><ul><li><code class="module"><a href="/mod/mod_policy.html">mod_policy</a></code></li></ul></td><td><ul><li><code class="directive"><a href="/mod/mod_policy.html#policymaxage">PolicyMaxage</a></code></li></ul></td></tr></table>

    <p>This policy will be rejected if the server response does not have
    an explicit <strong>freshness lifetime</strong> at least as long
    as the server defined limit, or if the freshness lifetime is
    calculated based on a heuristic.</p>

    <p>Full details of how a freshness lifetime is calculated is described in
    full in
    <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec13.2">
    RFC2616 section 13.2 Expiration Model</a>.</p>

    <p>During the freshness lifetime, a cache does not need to contact the
    origin server at all, it can simply pass the cached content as is back
    to the client.</p>

    <p>When the freshness lifetime is reached, the cache should contact the
    origin server in an effort to check whether the content is still fresh,
    and if not, replace the content.</p>

    <p>When the freshness lifetime is too short, it can result in excessive
    load on the server. In addition, should an outage occur that is as long
    or longer than the freshness lifetime, all cached content will become
    stale, which could cause a thundering herd of traffic when the
    server or network returns.</p>

    <p>This policy is implemented by the <strong>POLICY_MAXAGE</strong>
    filter.</p>

  </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
<div class="section">
<h2><a name="policynocache" id="policynocache">No Cache Policy</a></h2>

    <table class="related"><tr><th>Related Modules</th><th>Related Directives</th></tr><tr><td><ul><li><code class="module"><a href="/mod/mod_policy.html">mod_policy</a></code></li></ul></td><td><ul><li><code class="directive"><a href="/mod/mod_policy.html#policynocache">PolicyNocache</a></code></li></ul></td></tr></table>

    <p>This policy will be rejected if the server response declares itself
    uncacheable using either the <code>Cache-Control</code> or
    <code>Pragma</code> headers.</p>

    <p>Full details of how content may be declared uncacheable is described in
    full in
    <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.1">
    RFC2616 section 14.9.1 What is Cacheable</a>, and within the definition
    for the <code>Pragma</code> header in
    <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.32">
    RFC2616 section 14.32 Pragma</a>.</p>

    <p>Most specifically, should any of the following header combinations
    exist in the response headers, the response will be rejected:</p>

    <ul>
    <li><code>Cache-Control: no-cache</code></li>
    <li><code>Cache-Control: no-store</code></li>
    <li><code>Cache-Control: private</code></li>
    <li><code>Pragma: no-cache</code></li>
    </ul>

    <p>When unexpected, uncacheable content may produce unacceptable levels
    of server load, or may incur significant cost. When this policy is enabled,
    all server defined uncacheable content will be rejected.</p>

    <p>This policy is implemented by the <strong>POLICY_NOCACHE</strong>
    filter.</p>

  </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
<div class="section">
<h2><a name="policyvalidation" id="policyvalidation">Validation Policy</a></h2>

    <table class="related"><tr><th>Related Modules</th><th>Related Directives</th></tr><tr><td><ul><li><code class="module"><a href="/mod/mod_policy.html">mod_policy</a></code></li></ul></td><td><ul><li><code class="directive"><a href="/mod/mod_policy.html#policyvalidation">PolicyValidation</a></code></li></ul></td></tr></table>

    <p>This policy will be rejected if the server response does not contain
    either a syntactically correct <code>ETag</code> or
    <code>Last-Modified</code> header.</p>

    <p>The <code>ETag</code> header is described in full in
    <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.19">
    RFC2616 section 14.19 Etag</a>, and the <code>Last-Modified</code> header
    is described in full in
    <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.29">
    RFC2616 section 14.29 Last-Modified</a>.</p>

    <p>In addition to being checked present, the headers are checked for
    syntax.</p>

    <p>An <code>ETag</code> that is not surrounded with quotes, or is not
    declared "weak" by prefixing it with a "W/" will cause the policy to be
    rejected. A <code>Last-Modified</code> that is not parsed as a valid date
    will cause the policy to be rejected.</p>

    <p>This policy is implemented by the <strong>POLICY_VALIDATION</strong>
    filter.</p>

  </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
<div class="section">
<h2><a name="policyvary" id="policyvary">Vary Header Policy</a></h2>

    <table class="related"><tr><th>Related Modules</th><th>Related Directives</th></tr><tr><td><ul><li><code class="module"><a href="/mod/mod_policy.html">mod_policy</a></code></li></ul></td><td><ul><li><code class="directive"><a href="/mod/mod_policy.html#policyvary">PolicyVary</a></code></li></ul></td></tr></table>

    <p>This policy will be rejected if the server response contains a
    <code>Vary</code> header, and that header in turn contains a header
    blacklisted by the administrator.</p>

    <p>The <code>Vary</code> header is described in full in
    <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.44">
    RFC2616 section 14.44 Vary</a>.</p>

    <p>Some client provided headers, such as <code>User-Agent</code>,
    can contain thousands or millions of combinations of values over a period
    of time, and if the response is declared cacheable, a cache might attempt
    to cache each of these responses separately, filling up the cache and
    crowding out other entries in the cache. In this scenario, if so
    configured, the policy will reject the response.</p>

    <p>This policy is implemented by the <strong>POLICY_VARY</strong>
    filter.</p>

  </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
<div class="section">
<h2><a name="policyversion" id="policyversion">Protocol Version Policy</a></h2>

    <table class="related"><tr><th>Related Modules</th><th>Related Directives</th></tr><tr><td><ul><li><code class="module"><a href="/mod/mod_policy.html">mod_policy</a></code></li></ul></td><td><ul><li><code class="directive"><a href="/mod/mod_policy.html#policyversion">PolicyVersion</a></code></li></ul></td></tr></table>

    <p>This policy will be rejected if the client request was made with a
    version number lower than the version of HTTP specified.</p>

    <p>This policy is typically used with restful applications where
    control over the type of client is desired. This policy can be used
    alongside the <code>POLICY_KEEPALIVE</code> filter to ensure that
    HTTP/1.0 clients don't cause keepalive connections to be dropped.</p>

    <p>Possible minimum versions that could be specified are:</p>

    <ul><li><code>HTTP/1.1</code></li>
    <li><code>HTTP/1.0</code></li>
    <li><code>HTTP/0.9</code></li>
    </ul>

    <p>This policy is implemented by the <strong>POLICY_VERSON</strong>
    filter.</p>

  </div></div>
<div class="bottomlang">
<p><span>Available Languages: </span><a href="/en/compliance.html" title="English">&nbsp;en&nbsp;</a></p>
</div><div id="footer">
<p class="apache">Copyright 2012 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="/faq/">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div><script type="text/javascript">
    if (prettyPrint) {
        prettyPrint();
    }
</script>
</body></html>