Security > Customizing the Cache Control Header
  
Customizing the Cache Control Header
* 
The items described here should be configured only if your company has a message cache requirement or if you know you will be sending the same response many times to connected clients.
Overview
Cache Control is a mechanism to improve performance and responsiveness when serving HTTP resources by:
Allowing each resource to define its caching policy via the Cache-Control header.
The Cache-Control header defines who can cache the response, under which conditions, and for how long.
Depending on the type of resource, there is an optimal Cache-Control policy that should be used. For example, public images are good candidates to be cached, while pages containing users' sensitive data are not good candidates.
Ideally, try to cache as many responses as possible, for as long as possible, on the client, and implement an efficient re-validation mechanism. Reference the diagram in the "Defining Optimal Cache-Control Policy" section on this web page to help determine the optimal cache-control policy for the resource.
Reference this web page for a complete list of Cache-Control directives.
Handling the Cache Control Header
The Cache-Control header can be handled in the following ways:
From within the application, adding the header to the response object, for example calling the HttpServletResponse#setHeader(String name, String value) API if you are using Java and the Servlet APIs.
From a web server such as Apache (see mod_expires).
From load balancers, proxies, and similar (for example, HAProxy and Nginx).
From Meta Tags in http pages.
It is important to note that usually there are two ways to set a header:
Override the value if the header is already set.
Add a value to the exiting values if the header is already set.
Customizing the Cache Control Header in ThingWorx
* 
Modifying the cache control options could negatively impact performance of the affected ThingWorx server. If messages are cached for a shorter period of time or not at all, incoming messages could take longer to process. If more messages are cached for a longer period of time, more memory could be consumed during operation.
In order to customize the cache control settings in ThingWorx, the Apache Tomcat web.xml file must be modified:
1. Add the X-Content-Type-Options and X-XSS-Protection parameters in the web.xml file to increase security:
<filter>
<description>Sets various HTTP Response Headers in order to increase security, etc.</description>
<filter-name>HttpResponseHeadersFilter</filter-name>
<filter-class>com.thingworx.security.filter.HttpResponseHeadersFilter</filter-class>
<init-param>
<param-name>X-Content-Type-Options</param-name>
<param-value>SET nosniff</param-value>
</init-param>
<init-param>
<param-name>X-XSS-Protection</param-name>
<param-value>SET mode=block</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>HttpResponseHeadersFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
2. Add the desired cache-control headers. For example:
<init-param>
<param-name>Cache-Control</param-name>
<param-value>SET max-age=86400, public</param-value>
</init-param>
3. If a more fine-grained configuration is required, multiple instances of the filter with different mappings can be added. For example:

<filter>
<description>Public resources cache</description>
<filter-name>PublicResourcesCache</filter-name>
<filter-class>com.thingworx.security.filter.HttpResponseHeadersFilter</filter-class>
<init-param>
<param-name>Cache-Control</param-name>
<param-value>SET max-age=86400, public</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>PublicResourcesCache</filter-name>
<url-pattern>/public/*</url-pattern>
</filter-mapping>

<filter>
<description>Private resources cache</description>
<filter-name>PrivateResourcesCache</filter-name>
<filter-class>com.thingworx.security.filter.HttpResponseHeadersFilter</filter-class>
<init-param>
<param-name>Cache-Control</param-name>
<param-value>SET no-store</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>PrivateResourcesCache</filter-name>
<url-pattern>/private/*</url-pattern>
</filter-mapping>