LowFile-scopeGo Plug & play

ETag/Last-Modified for non-immutable assets

For Go static servers, set immutable Cache-Control for hashed files; otherwise set "Cache-Control: no-cache" and support conditional GET via ETag or Last-Modified using file info.

Add to Mesrai Open workspace

Why this matters

Validators prevent unnecessary transfers while keeping clients fresh.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

http.Handle("/", http.FileServer(http.Dir("./public"))) // no headers

Prefer

http.HandleFunc("/", func(w http.ResponseWriter, r http.Request){ p := r.URL.Path; if hashRE.MatchString(p){ w.Header().Set("Cache-Control","public, max-age=31536000, immutable") } else { w.Header().Set("Cache-Control","no-cache"); w.Header().Set("ETag", etagFor(p)) } http.ServeFile(w, r, path.Join("public", p)) })

More snippets

Good

w.Header().Set("Cache-Control","public, max-age=31536000, immutable")

Bad

http.FileServer(http.Dir("./public")) // default

Related rules

From the same buckets as this rule.

Critical
Fingerprint assets and cache immutably
All static JS/CSS/font/image files MUST use content-hashed filenames (e.g., app.9c1a7b.js) and be served with "Cache-Control: public, max-age=31536000, immutable". HTML and other non-fingerprinted documents MUST be served with "Cache-Control: no-cache" (or equivalent) to enable conditional revalidation.
web-static-assetscaching-strategy+2
High
Compress text assets with Brotli/Gzip and set Vary
Serve text-based assets (JS, CSS, JSON, SVG) with Brotli (br) when the client sends "Accept-Encoding: br" and fallback to gzip. Always set "Vary: Accept-Encoding" and do NOT compress already-compressed formats (e.g., .png, .jpg, .woff2).
web-static-assetsperformance-efficiency+1
High
Immutable cache and Vary for precompressed files
Serve precompressed .br/.gz variants when the client sends Accept-Encoding, set "Vary: Accept-Encoding", and apply immutable caching for hashed assets; keep HTML revalidatable.
web-static-assetscaching-strategy+1

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

http.Handle("/", http.FileServer(http.Dir("./public"))) // no headers

Prefer

http.HandleFunc("/", func(w http.ResponseWriter, r http.Request){ p := r.URL.Path; if hashRE.MatchString(p){ w.Header().Set("Cache-Control","public, max-age=31536000, immutable") } else { w.Header().Set("Cache-Control","no-cache"); w.Header().Set("ETag", etagFor(p)) } http.ServeFile(w, r, path.Join("public", p)) })

More snippets

Good

w.Header().Set("Cache-Control","public, max-age=31536000, immutable")

Bad

http.FileServer(http.Dir("./public")) // default

Related rules

From the same buckets as this rule.

Critical

Fingerprint assets and cache immutably

All static JS/CSS/font/image files MUST use content-hashed filenames (e.g., app.9c1a7b.js) and be served with "Cache-Control: public, max-age=31536000, immutable". HTML and other non-fingerprinted documents MUST be served with "Cache-Control: no-cache" (or equivalent) to enable conditional revalidation.

web-static-assetscaching-strategy+2

High

Compress text assets with Brotli/Gzip and set Vary

Serve text-based assets (JS, CSS, JSON, SVG) with Brotli (br) when the client sends "Accept-Encoding: br" and fallback to gzip. Always set "Vary: Accept-Encoding" and do NOT compress already-compressed formats (e.g., .png, .jpg, .woff2).

web-static-assetsperformance-efficiency+1

High

Immutable cache and Vary for precompressed files

Serve precompressed .br/.gz variants when the client sends Accept-Encoding, set "Vary: Accept-Encoding", and apply immutable caching for hashed assets; keep HTML revalidatable.

web-static-assetscaching-strategy+1