CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/http-caching-strategy

HTTP caching for web APIs — Cache-Control headers, ETags, conditional requests,

88

25.00x
Quality

84%

Does it follow best practices?

Impact

100%

25.00x

Average score across 4 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

cache-headers-set.jsonverifiers/

{
  "instruction": "Proactively set Cache-Control headers on every API endpoint — public data gets max-age with stale-while-revalidate, authenticated data gets private no-store, mutations get no-store",
  "relevant_when": "Agent creates or modifies any API endpoint that serves data via GET, or any endpoint that returns a response — even if the task does not mention caching, performance, or headers",
  "context": "Every API endpoint must set explicit Cache-Control headers. Without them, browsers and CDNs use unpredictable heuristic caching. Public catalog/list endpoints need 'public, max-age=60, stale-while-revalidate=300'. Authenticated endpoints need 'private, no-store'. POST/PUT/DELETE responses need 'no-store'. This is as fundamental as setting HTTP status codes — never serve a response without cache headers.",
  "sources": [
    {
      "type": "file",
      "filename": "skills/http-caching-strategy/SKILL.md",
      "tile": "tessl-labs/http-caching-strategy@0.2.0"
    }
  ],
  "checklist": [
    {
      "name": "cache-control-on-get-endpoints",
      "rule": "Every GET endpoint sets an explicit Cache-Control header — either caching directives (public, max-age) or explicit opt-out (private, no-store)",
      "relevant_when": "Agent creates any GET endpoint that returns data"
    },
    {
      "name": "public-data-cacheable",
      "rule": "GET endpoints returning public/catalog data set 'Cache-Control: public, max-age=N' with an appropriate TTL and optionally stale-while-revalidate",
      "relevant_when": "Agent creates GET endpoints for products, catalogs, menus, categories, search results, or other public data"
    },
    {
      "name": "authenticated-endpoints-private",
      "rule": "GET endpoints behind authentication set 'Cache-Control: private' to prevent CDNs/proxies from caching user-specific data",
      "relevant_when": "Agent creates GET endpoints that require authentication or return per-user data"
    },
    {
      "name": "mutation-responses-no-store",
      "rule": "POST, PUT, PATCH, DELETE responses set 'Cache-Control: private, no-store' or 'Cache-Control: no-store'",
      "relevant_when": "Agent creates endpoints that mutate data"
    },
    {
      "name": "stale-while-revalidate-on-lists",
      "rule": "List/catalog endpoints include stale-while-revalidate to prevent thundering herd on cache expiry",
      "relevant_when": "Agent creates GET endpoints returning lists of items (products, articles, categories)"
    }
  ]
}

verifiers

cache-headers-set.json

etag-conditional-requests.json

sensitive-data-no-store.json

tile.json