Be clever with your Etags

I wrote about Etags some days ago, stating that:

The Etag header is, generally, a string that represents our resource in the HTTP headers.

Well, although the definition is pretty simple and good, I should be more clear about etags.

Sending etags over the network is a way to reduce bandwidth and load on your service, implementing a part of the HTTP cache specificationl: but you should really generate clever etags.

If you need to talk with the DB to generate the tag, you’re basically making your server work just a bit lesser than doing everything wthout HTTP cache, because you only save in generating the response.

A cool way to save more would be to save the query used to retrieve the resource:

Since this is a key that uniquely identifies the resource, this header could be generated based on the query used to fetch the data and generate the resource.

But be aware of using only this strategy: if you update you resource, that etag will always send a 304 to your consumer.

That’s why the HTTP specification gives us the possibility to mix caching strategies, with validation and expiration.

Mixing them, you’ll be able to save bandwith and computational resources giving your consumer more consistent data.

P.S. Yes, the web is inconsistent. Get over it.


Hi there! I recently wrote an ebook on web application security, currently sold on leanpub, the Amazon Kindle store and gumroad.

It contains 160+ pages of content dedicated to securing web applications and improving your security awareness when building web apps, with chapters ranging from explaining how to secure HTTP cookies with the right flags to understanding why it is important to consider joining a bug bounty program.

Feel free to skim through some of the free chapters published on this blog and, if the content seems interesting enough to you, grab a copy on leanpub, the Amazon Kindle store, gumroad or simply checkout right down below!

Buy the Web Application Security ebook for $6.99

In the mood for some more reading?

...or check the archives.