Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | Next revision Both sides next revision | ||
|
litespeed_wiki:cache:laravel_esi [2019/04/10 14:06] Lisa Clarke Proofreading |
litespeed_wiki:cache:laravel_esi [2019/04/22 16:40] Lucas Rolff Change wiki to use laravel-lscache package. |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ======Use LSCache with CSRF Tokens in Laravel====== | ======Use LSCache with CSRF Tokens in Laravel====== | ||
| + | |||
| + | **This wiki assumes you're using our [[https://github.com/litespeedtech/lscache-laravel|Laravel LSCache]] composer package.** | ||
| When you're building a web application that contains forms, it's quite common that you have CSRF tokens to prevent cross-site scripting (XSS). However, if you want to use LSCache within your application, this often breaks form submissions because everyone gets the same CSRF token, unless you've set private cache as the default when enabling LSCache. | When you're building a web application that contains forms, it's quite common that you have CSRF tokens to prevent cross-site scripting (XSS). However, if you want to use LSCache within your application, this often breaks form submissions because everyone gets the same CSRF token, unless you've set private cache as the default when enabling LSCache. | ||
| Line 11: | Line 13: | ||
| Route::get('/csrf', function() { | Route::get('/csrf', function() { | ||
| $response = csrf_token(); | $response = csrf_token(); | ||
| - | return response($response, 200)->header('X-LiteSpeed-Cache-Control', 'private,max-age=900'); | + | return response($response, 200); |
| - | }); | + | })->middleware('lscache:private;max-age=900'); |
| What we are doing here is solely generating a CSRF token. We make it private in such a way that the response becomes unique to the user, and we cache it for 900 seconds (15 minutes). Since the tokens do not constantly refresh, there is no need to do an ESI call for every pageview if we can avoid it. | What we are doing here is solely generating a CSRF token. We make it private in such a way that the response becomes unique to the user, and we cache it for 900 seconds (15 minutes). Since the tokens do not constantly refresh, there is no need to do an ESI call for every pageview if we can avoid it. | ||
| Line 74: | Line 76: | ||
| =====Remember to Enable ESI===== | =====Remember to Enable ESI===== | ||
| - | In your .htaccess file, you can enable ESI for all requests: | + | We have a small example here of how to enable the ESI engine: |
| - | <IfModule LiteSpeed> | + | Route::get('/csrf', function() { |
| - | RewriteEngine on | + | $response = csrf_token(); |
| - | RewriteRule .? - [E=esi_on:1,E=cache-control:max-age=3600] | + | return response($response, 200); |
| - | CacheLookup on | + | })->middleware('lscache:private;max-age=900'); |
| - | </IfModule> | + | |
| + | Route::get('/contact', function() { | ||
| + | return view('contact'); | ||
| + | })->middleware('lscache:max-age=3600;public;esi=on'); | ||
| + | | ||
| + | We use our ''lscache'' middleware to set a max age of 1 hour, set the cacheability to public and enable the ESI engine with ''esi=on''. It's important that you use ''esi=on'' within the lscache-middleware for all the pages where you use your ESI blocks - if you do not add this, the ESI engine won't get enabled and ESI won't be used. | ||
| - | However, we do advise that you enable ESI using the ''X-LiteSpeed-Cache-Control'' response header. It also allows you to do more fine-grained control over how long you want to cache the pages, whether it should be private or public cache, etc. | + | For performance reasons, please do not enable ESI globally. |