HighFile-scopeJavaScript / TypeScript Plug & play

Immutable cache for hashed assets, no-cache for HTML

In Express, use serve-static with setHeaders to apply "Cache-Control: public, max-age=31536000, immutable" for files matching /\.[0-9a-f]{8,}\./ and "Cache-Control: no-cache" for HTML. Also set correct Content-Type.

Add to Mesrai Open workspace

Why this matters

Differentiating asset types ensures fast repeat loads while keeping documents revalidatable.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

app.use(express.static('public')); // default headers, no hashing awareness

Prefer

app.use(express.static('public', { setHeaders:(res, path)=>{ if(/\.[0-9a-f]{8,}\./.test(path)){ res.setHeader('Cache-Control','public, max-age=31536000, immutable'); } else if(path.endsWith('.html')){ res.setHeader('Cache-Control','no-cache'); } } }));

More snippets

Good

res.setHeader('Cache-Control','public, max-age=31536000, immutable')

Bad

app.use(express.static('public')) // no Cache-Control

Related rules

From the same buckets as this rule.

Critical
Fingerprint assets and cache immutably
All static JS/CSS/font/image files MUST use content-hashed filenames (e.g., app.9c1a7b.js) and be served with "Cache-Control: public, max-age=31536000, immutable". HTML and other non-fingerprinted documents MUST be served with "Cache-Control: no-cache" (or equivalent) to enable conditional revalidation.
web-static-assetscaching-strategy+2
High
Compress text assets with Brotli/Gzip and set Vary
Serve text-based assets (JS, CSS, JSON, SVG) with Brotli (br) when the client sends "Accept-Encoding: br" and fallback to gzip. Always set "Vary: Accept-Encoding" and do NOT compress already-compressed formats (e.g., .png, .jpg, .woff2).
web-static-assetsperformance-efficiency+1
High
Immutable cache and Vary for precompressed files
Serve precompressed .br/.gz variants when the client sends Accept-Encoding, set "Vary: Accept-Encoding", and apply immutable caching for hashed assets; keep HTML revalidatable.
web-static-assetscaching-strategy+1

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

app.use(express.static('public')); // default headers, no hashing awareness

Prefer

app.use(express.static('public', { setHeaders:(res, path)=>{ if(/\.[0-9a-f]{8,}\./.test(path)){ res.setHeader('Cache-Control','public, max-age=31536000, immutable'); } else if(path.endsWith('.html')){ res.setHeader('Cache-Control','no-cache'); } } }));

More snippets

Good

res.setHeader('Cache-Control','public, max-age=31536000, immutable')

Bad

app.use(express.static('public')) // no Cache-Control

Related rules

From the same buckets as this rule.

Critical

Fingerprint assets and cache immutably

All static JS/CSS/font/image files MUST use content-hashed filenames (e.g., app.9c1a7b.js) and be served with "Cache-Control: public, max-age=31536000, immutable". HTML and other non-fingerprinted documents MUST be served with "Cache-Control: no-cache" (or equivalent) to enable conditional revalidation.

web-static-assetscaching-strategy+2

High

Compress text assets with Brotli/Gzip and set Vary

Serve text-based assets (JS, CSS, JSON, SVG) with Brotli (br) when the client sends "Accept-Encoding: br" and fallback to gzip. Always set "Vary: Accept-Encoding" and do NOT compress already-compressed formats (e.g., .png, .jpg, .woff2).

web-static-assetsperformance-efficiency+1

High

Immutable cache and Vary for precompressed files

Serve precompressed .br/.gz variants when the client sends Accept-Encoding, set "Vary: Accept-Encoding", and apply immutable caching for hashed assets; keep HTML revalidatable.

web-static-assetscaching-strategy+1