HighFile-scope Plug & play

Compress text assets with Brotli/Gzip and set Vary

Serve text-based assets (JS, CSS, JSON, SVG) with Brotli (br) when the client sends "Accept-Encoding: br" and fallback to gzip. Always set "Vary: Accept-Encoding" and do NOT compress already-compressed formats (e.g., .png, .jpg, .woff2).

Add to Mesrai Open workspace

Why this matters

Brotli significantly reduces transfer sizes for text assets and the Vary header prevents cache poisoning across clients.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

GET /img/logo.png
200 OK
Content-Encoding: gzip

/ double-compressing a PNG increases size and latency /

Prefer

GET /app.9c1a7b.js
200 OK
Content-Encoding: br
Vary: Accept-Encoding

/ optimal compression with correct cache variation /

More snippets

Good

Content-Encoding: br
Vary: Accept-Encoding

Bad

Content-Encoding: gzip
/ for .png /

Related rules

From the same buckets as this rule.

Critical
Fingerprint assets and cache immutably
All static JS/CSS/font/image files MUST use content-hashed filenames (e.g., app.9c1a7b.js) and be served with "Cache-Control: public, max-age=31536000, immutable". HTML and other non-fingerprinted documents MUST be served with "Cache-Control: no-cache" (or equivalent) to enable conditional revalidation.
web-static-assetscaching-strategy+2
High
Immutable cache and Vary for precompressed files
Serve precompressed .br/.gz variants when the client sends Accept-Encoding, set "Vary: Accept-Encoding", and apply immutable caching for hashed assets; keep HTML revalidatable.
web-static-assetscaching-strategy+1
High
Immutable cache for hashed assets, no-cache for HTML
In Express, use serve-static with setHeaders to apply "Cache-Control: public, max-age=31536000, immutable" for files matching /\.[0-9a-f]{8,}\./ and "Cache-Control: no-cache" for HTML. Also set correct Content-Type.
web-static-assetscaching-strategy+1

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

GET /img/logo.png
200 OK
Content-Encoding: gzip

/ double-compressing a PNG increases size and latency /

Prefer

GET /app.9c1a7b.js
200 OK
Content-Encoding: br
Vary: Accept-Encoding

/ optimal compression with correct cache variation /

More snippets

Good

Content-Encoding: br
Vary: Accept-Encoding

Bad

Content-Encoding: gzip
/ for .png /

Related rules

From the same buckets as this rule.

Critical

Fingerprint assets and cache immutably

All static JS/CSS/font/image files MUST use content-hashed filenames (e.g., app.9c1a7b.js) and be served with "Cache-Control: public, max-age=31536000, immutable". HTML and other non-fingerprinted documents MUST be served with "Cache-Control: no-cache" (or equivalent) to enable conditional revalidation.

web-static-assetscaching-strategy+2

High

Immutable cache and Vary for precompressed files

Serve precompressed .br/.gz variants when the client sends Accept-Encoding, set "Vary: Accept-Encoding", and apply immutable caching for hashed assets; keep HTML revalidatable.

web-static-assetscaching-strategy+1

High

Immutable cache for hashed assets, no-cache for HTML

In Express, use serve-static with setHeaders to apply "Cache-Control: public, max-age=31536000, immutable" for files matching /\.[0-9a-f]{8,}\./ and "Cache-Control: no-cache" for HTML. Also set correct Content-Type.

web-static-assetscaching-strategy+1