Setting Cache Control HTTP Headers in Web API Controller Method

Controlling caching behaviour of an HTTP response is an important task that cannot be ignored as it will have a big impact on a web application load and performance. In ASP.NET Web Forms and MVC applications it usually is done by using special directives or attributes that take care of adding corresponding headers to the response. ASP.NET Web API framework unfortunately does not come with an out of the box support for this functionality so concious developers need to deal with that themselves. Luckily it is not a difficult task to do as the Web API framework has a number of support objects that simplify the job.

Basically in order to control caching behaviour we need to make sure that the output response will have what is called "Cache control header" with proper values that determine caching behaviour. Example below demonstrates how to make a response publicly cacheable for a period of time:

   var response = new HttpResponseMessage();
   response.Headers.CacheControl = new CacheControlHeaderValue
          {Public = true, MaxAge = TimeSpan.FromSeconds(maxAge)};

To simplify the usage further we can even create a static extension method that can be easily applied in a controller method:

// somewhere in a static class
public static HttpResponseMessage PublicCache(this HttpResponseMessage response, int maxAge)
{
   response.Headers.CacheControl = new CacheControlHeaderValue
          {Public = true, MaxAge = TimeSpan.FromSeconds(maxAge)};
   return response;
}
...
// inside an ApiController class
public HttpResponseMessage MyApiMethod(long id)
{
   var response = new HttpResponseMessage();
   ..............
   return response.PublicCache(24 * 7 * 60);
}

ASP.NET and SSL Offloading

SSL offloading is quite a popular method of improving a web server performance by delegating a CPU-intensive SSL processing operations to an external device such as a load balancer. Because having a load balancer only makes sense when there are multiple web servers working in a farm it looks like an attractive solution for maximizing usage of a load balancer and at the same time improving performance of web servers by freeing them from doing an "unnecessary" SSL processing. What also makes SSL offloading a high profile feature is load balancing appliance vendors marketing SSL offloading as one of the selling points of their products.

With all above said being correct it is not always recommended to rush for turning SSL offloading on. One very specific use case is an ASP.NET application using  Web Forms authentication configured to serve protected content over secure connection only. What that means is when a request for a protected page sent over unsecured HTTP the application will redirect it to a secured version of the Url. But because the SSL request never reaches a web server (since it's being intercepted by a load balancer and converted into HTTP request) the application logic will be stuck in an infinite redirect loop. To resolve the problem there are only two options: allow protected content over an unsecured connection or disable SSL offloading. If there is more of an application logic that requires secured connection between client an a server it makes more sense to not use SSL offloading at all.

There are however scenarios when SSL offloading is very helpful. Examples include but no limited to many kinds of data processing service-like web applications that are not intended to return human-readable HTML output, TCP/IP based data processing applications that do not use HTTP at all and so forth. Most likely such applications will not base their logic on a condition of a secure connection with a client.

What are PROs and CONs of using SSL offloading? Obviously one positive point is web servers performance improvement by removing SSL processing from their plates. How important that could be? Most likely that depends on traffic. For high traffic high profile publicly accessible web servers that could be very important but in such cases all the efforts must be made to not couple application logic with a type of client-server connection. From another hand modern server CPUs implement specialized command sets that make SSL processing much less intensive and not so terrifying a task for web servers so it could be more convenient to allow secure traffic directly to web servers.

Another consideration is how secure traffic passing between an SSL offloading load balancer and a web server is. Obviously both devices are supposed to be behind a firewall but it needs to be take care of because traffic may contain sensitive information and in such a case load balancer could become a point of attack.

One more concern is IT maintenance. Secured infrastructure requires setting up and maintaining SSL certificates and other components. If there are a lot of web servers in a farm it could make sense to minimize maintenance by centralizing all SSL configurations on SSL offloading devices.

In conclusion, understanding specifics of a particular implementation is crucial for making a correct decision about using SSL offloading technique.

Why Some Web Sites Suck

I am an active Internet user. I visit and use a lot of different web sites including those for all kinds of e-commerce and utilities. Being at the same time an experienced professional web developer allows me to understand why some web sites are not as good as others and some of them simply suck. The first and foremost reason from my experience is that web site's developers do not follow web development best practices and most likely do not test their creations thoroughly.

In this article I am trying to analyse and describe most commonly occurring problems not visible to a non-professional eye but significantly affecting users' experience.

Base technology platform selection

Often a web site could be built on top of a platform that is familiar to a development team but not necessarily a good choice for a new project but sill would be selected. One particular example is a high traffic e-commerce web site built upon Microsoft Sharepoint Portal Server because the developer team used this technology for a corporate news portal. The platform choice always brings its limitations and must be validated against a particular web site goals and usages. How fast do you expect it to work? How cross-browser compatible do you expect it to be? Those and other similar questions should be asked to make sure the technological platform choice is proper.

Web development framework

Obviously the platform choice limits the options for a Web development framework but if you are a .NET developer you most likely have at least two choices: ASP.NET WebForms and ASP.NET MVC. Both frameworks are modern first-class web development tools and support all the recent technological advances of web development. However regardless of the framework choice a team needs to make sure it uses all those advances and follows known best practices for a selected framework.

Most frequently noticed ASP.NET development bad practices

When I come across a web site that I don't like but still have to use I usually take a pick at the source code and easily spot some from the known bad practices listed below.

• HTML 4.01 Transitional. Remind me what year is it?
• JavaScript and CSS references neither bundled nor minified. Page load time, anyone?
• Inline JavaScripts that are neither minified nor obfuscated. See the previous point.
• Inline JavaScripts do not use OOP: still the old school functions only.
• Inline handling of cross-browser differences like "<!--[if IE 7]>". Well, this is really old school. No need to do that any more especially with JS libraries like jQuery.
• Inline CSS using ASP.NET long IDs. Shame on you, development team. That was considered poor poor practice since I can remember. Basically it's just a hack.
• Still using long ASP.NET IDs. You really need to do your home work and read documentation.
• Viewstate embedded right on a page. No comments here. If I see that my only hope that it's properly encrypted. How fast have you expected it to load?
• Still using hidden input elements to manage state. Have you considered other methods like Session maybe?
• Still using server controls for simple HTML like 'a' or 'li'. I call this lazy and I want to blame your team's coding best practice policies for that.
• Multiple different JavaScript libraries are present for example jQuery and Microsoft Ajax, that functionally overlap with each other. You do need to make up your mind and pick up just one.

Recommendations

Try follow the suggestions below as they are proven best practice and help develop much better web sites.

• Use HTML 5.
• Minify and bundle CSS and JavaScript files. Not only doing that improves web site load times but also makes development and maintenance easier. Take a look at http://msdn.microsoft.com/en-us/library/system.web.optimization.aspx and also try to search for ASP.NET Bundling.
• When develop on JavaScript treat it as a first class programming language and apply all the same practices as you would for a server-side language like C#. Read this http://msdn.microsoft.com/en-us/magazine/dd453033.aspx and notice that it's from the year 2009.
• Use proven JavaScript libraries that handle cross-browser compatibility well and do not try to invent your own wheel.
• Implement well known solutions for hiding framework's specifics like client IDs, Viewstate, etc. Even though you need to use them it does not mean you cannot do it right.
• Always prefer server-side technique instead of client-side for handling application state. If nothing else Session is your best friend.
• Learn and use HTML directly for simple cases instead of server controls. It's not 2001 any more and you call yourself a Web developer.
• Do not use multiple client-side libraries that functionally are similar. Not only that makes development and maintenance a nightmare but also tells a lot about your software design skills. Make your choice and use the best tool for your job.

User Experience

It's enough of technical stuff. Let me become just a regular user and tell you that when a  web site is slow, confusing, inconsistent and not cross-browser compatible it sucks. Test it thoroughly and remember the web site is your professional resume. 

Conclusion

This post was not intended as a thorough review of web development best practices and more like a spur of a moment cry-out, but come on! It is 2013 and professional web developers are supposed to build Web 3.0 web sites today for tomorrow and not for a day before yesterday. It also touches me personally when I visit web sites with similar issues because they bring shame on all the web professionals not just those who worked on a web site. Colleagues, please listen up and make improvements. Everybody will like that.