[HttpClient] Various fixes and hardenings#64260
Merged
nicolas-grekas merged 9 commits intoMay 20, 2026
symfony:7.4symfony/symfony:7.4from
Lctrs:stack_httpclient_rfc9111_fixesLctrs/symfony:stack_httpclient_rfc9111_fixesCopy head branch name to clipboard
Merged
[HttpClient] Various fixes and hardenings#64260nicolas-grekas merged 9 commits intosymfony:7.4symfony/symfony:7.4from Lctrs:stack_httpclient_rfc9111_fixesLctrs/symfony:stack_httpclient_rfc9111_fixesCopy head branch name to clipboard
nicolas-grekas merged 9 commits into
symfony:7.4symfony/symfony:7.4from
Lctrs:stack_httpclient_rfc9111_fixesLctrs/symfony:stack_httpclient_rfc9111_fixesCopy head branch name to clipboard
Conversation
5ad8d09 to
b0db62d
Compare
Cache-Control directive names are now parsed case-insensitively, empty directives are ignored, and quoted directive values such as max-age="300" are unquoted before validation. Duplicate Cache-Control directives are treated as unusable freshness information for value-based checks so cached responses fall back to stale instead of choosing an arbitrary value. Sources: RFC 9111 §4.2.1, §5.2.
For shared caches, a valid s-maxage delta-seconds value overrides max-age/Expires and carries proxy-revalidate semantics; malformed or duplicate values are treated as unusable freshness information. A valid s-maxage delta-seconds value is also required before using s-maxage to permit shared-cache reuse of authorized responses. Sources: RFC 9111 §5.2.2.8, §5.2.2.10, §3.5.
Unsafe requests now invalidate stored responses for their target URI after a non-error response. Unknown extension methods are treated conservatively as unsafe because methods are only safe when defined as safe. Non-error responses for this invalidation rule are 2xx or 3xx responses, so informational 1xx responses do not trigger invalidation. Sources: RFC 9111 §4, §4.4; RFC 9110 §9.2.1.
The cache now recognizes all RFC 9111 status codes that are heuristically cacheable by default, including 308, 405, 414, and 501. Responses with other final status codes can also be stored when explicit freshness information permits it, except for 206 and standalone 304 responses which this client does not store. Non-default status codes only use heuristic freshness when the response is explicitly marked public. Sources: RFC 9111 §3, §4.2.1, §4.2.2.
Cached responses now account for Date, Age, response delay, and resident time when computing current_age. The generated Age header on cached responses is based on that current_age calculation instead of only the originally stored Age value. Sources: RFC 9111 §4.2.3, §5.1.
Cached responses no longer store hop-by-hop fields named by the Connection header. The cache continues to exclude the fixed connection-specific fields that must not be stored. Sources: RFC 9111 §3.1; RFC 9110 §7.6.1.
A 304 response now freshens a cached response only when response validators match the stored response. Client conditional requests pass through 304 responses instead of being replaced by cached 200 responses, and fresh cached responses can answer matching client conditionals with 304. Sources: RFC 9111 §4.3.2, §4.3.4.
When a cached response is freshened by a matching 304 response, the stored metadata, headers, age information, and freshness lifetime are updated from the 304 response. If the updated metadata changes Vary handling or makes the response no longer cacheable, the stored variant metadata is removed instead of being reused incorrectly. Sources: RFC 9111 §4.1, §4.2.3, §4.3.4.
Request Cache-Control directives now affect cache lookup, revalidation, and storage decisions. no-cache forces validation before reuse, no-store bypasses lookup and prevents storage, max-age limits the acceptable current age, and only-if-cached returns a gateway timeout on cache miss instead of contacting the origin. Sources: RFC 9111 §5.2.1.1, §5.2.1.4, §5.2.1.5, §5.2.1.7.
b0db62d to
6561749
Compare
Member
|
Thank you @Lctrs. |
nicolas-grekas
added a commit
that referenced
this pull request
May 20, 2026
This PR was squashed before being merged into the 7.4 branch. Discussion ---------- [HttpClient] Various fixes and hardenings | Q | A | ------------- | --- | Branch? | 7.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Issues | - | License | MIT Supersedes #64229, #64230, and #64231. See each commit body for details. Ping `@nicolas`-grekas Commits ------- b0db62d [HttpClient] Honor request Cache-Control directives in cache 9fc2977 [HttpClient] Update cached metadata from 304 responses a0cabbe [HttpClient] Match validators before using 304 responses 92f5550 [HttpClient] Do not store Connection-nominated headers ed21c54 [HttpClient] Compute cached response age per RFC 9111 301b1dc [HttpClient] Broaden cacheable response status handling 298557c [HttpClient] Invalidate cache for unknown unsafe methods 1646c49 [HttpClient] Honor s-maxage revalidation semantics 3e14dc8 [HttpClient] Parse Cache-Control directives case-insensitively
This was referenced May 27, 2026
Merged
Merged
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Supersedes #64229, #64230, and #64231. See each commit body for details.
Ping @nicolas-grekas