Cache HTTP Error Responses

Cache error responses from the origin to reduce traffic when content isn’t available. With this behavior enabled, you can reduce the network traffic to your origin by caching HTTP error responses on the edge.

How it works

This behavior caches HTTP error responses with status codes 204, 305, 400, 404, 405, 501, 502, 503, 504, and 505 on the edge servers. When end-users request unavailable content, the edge server pulls the error response from the cache. By default, error responses with HTTP codes 204, 305, 404, and 405 are cached for 10 seconds, and this feature allows you to modify the caching time.

Features and options

Field

What it does

Enable

Enables or disables this behavior.

Max-age

Set the maximum time that cached objects can remain in the cache. A setting of 0 means no-cache, which forces revalidation before serving the content. Be aware that no-cache can cause a large increase in traffic to the origin in circumstances where that would be counterproductive (for example, when the origin is returning 500 errors).

Preserve Stale Objects

When enabled, edge servers keep and serve stale cached objects when serving responses with status codes 400, 500, 502, 503, and 504, so that end-user clients can access content during transient errors without re-fetching and re-caching content from the origin.

Avoid cache poisoning attacks

A cache poisoning attack happens when false information is included in a DNS cache. A query to that DNS returns an incorrect response and end-users are directed to the wrong site or app.

This can happen if you enable this behavior in your property and don't have a web application firewall (WAF) configured at the first level, before the request reaches your property configuration. If this is the case, a cache poisoning attack can occur if a request contains a request header with an invalid character.

To avoid this problem:

  • You can use ​Akamai​'s Kona Site Defender. This offers WAF rules that would automatically detect an invalid character. Talk to your account representative to get Kona Site Defender added to your contract.
  • You can use a custom WAF. Set up a custom WAF on your site or app to recognize invalid characters in a request header.

Did this page help you?