Tom Duckering

Icon

a web log of my technical stumblings

Jetty + Akamai = Expire Header Evil

I was hunting around on the web to see if anyone else had come across this dangerous combination, but it seems that in web terms we are the only ones. So, in order to benefit others I figured I’d post this here.

Our problem was that when we were requesting content via Akamai edge suite from our origin Jetty based web app we were getting Expires header values with the year set to 2019! Frankly disastrous for our main page.

It took a little while to trace but it turns out that we are using a version of Jetty which uses the incorrect date format for it’s default Expires header. It sets Expires to be 01-Jan-1970. Looks ok, right? Well wrong. The relevant RFC states that 01 Jan 1970 is legal, and 01-Jan-70 is legal. Conversely, using a four digit year is illegal when you use hyphen separators.

But that’s not the problem. You’d expect that any compliant caches and browsers would spot the bad header format and just drop it. However not Akamai. It seems that it merely takes the first two digits of your year and re-writes these as a two digit year meaning that you would likely see Expires headers set with the year 2019 or 2020. Compared to 1970 that is a 49 year difference and compared to the date now that is an 8 year difference. In web caching terms that’s forever and very bad if you end up caching dynamic resources.

Fortunately the impact was small for us but this could have been a lot worse. We ended up putting a very quick fix into our BIGIP load balancer to strip the offending headers at our origin to stop it poisoning any more caches and we then fixed our code to explicitly set the header rather than rely on Jetty.

Filed under: Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: