fix(nginx): serve index.html with no-cache (H1)#51
Merged
Conversation
Add a dedicated location = /index.html block that sets Cache-Control: no-cache and re-declares all five security headers (nginx add_header in a location replaces server-level headers). Hashed assets stay immutable. Browsers now always fetch fresh index.html with new asset hashes after a deploy, removing the manual hard-reload workaround. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Small ops/frontend hardening from the 2026-07-07 backlog (H1), prepared as its own
spec+plan under
docs/superpowers/.Problem
frontend/nginx-spa.confservesindex.htmlwith noCache-Control. Theasset-cache regex deliberately doesn't match
.html, so index.html is neitherimmutablenorno-cache. A browser can therefore hold a staleindex.html(with old asset hashes) after a deploy until a manual hard-reload — exactly what
was seen after the v1.0.07 redeploy (2026-07-07).
Fix
Add a dedicated
location = /index.htmlblock settingCache-Control: no-cache.Because nginx
add_headerin a location replaces the server-level headers(they aren't inherited when the child block has its own
add_header), the blockre-declares all five security headers (X-Content-Type-Options, X-Frame-Options,
Referrer-Policy, Permissions-Policy, CSP) alongside the new
Cache-Control.Hashed assets keep
public, immutable/ 1-year.docker/nginx.conf(composeproxy) needs no change.
Verification
No frontend test framework, so verified against the built config on
nginx:alpine:nginx -t→ syntax OK.curl -I /and/index.html→Cache-Control: no-cacheand all fivesecurity headers (incl. CSP) present.
curl -I /assets/index-<hash>.js→ stillpublic, immutable+ 1-year Expires,no
no-cache.Spec/plan:
docs/superpowers/specs/2026-07-10-h1-nginx-index-nocache-design.mdand matching
plans/(on local main).🤖 Generated with Claude Code