LowFile-scopePHP Plug & play

Correct Content-Type and cache headers for assets

For PHP-served assets, emit the precise Content-Type (e.g., text/css; charset=utf-8, application/javascript, font/woff2) and set immutable caching for hashed files; never apply immutable caching to HTML.

Add to Mesrai Open workspace

Why this matters

Accurate MIME types and tailored caching improve compatibility and speed.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

<?php header("Content-Type: text/plain"); readfile("app.js");

Prefer

<?php if (preg_match('/\\.[0-9a-f]{8,}\\./', \$file)) { header('Cache-Control: public, max-age=31536000, immutable'); } header('Content-Type: application/javascript; charset=utf-8'); readfile(\$file);

More snippets

Good

header("Cache-Control: public, max-age=31536000, immutable");

Bad

header("Content-Type: text/plain");

Related rules

From the same buckets as this rule.

Critical
Fingerprint assets and cache immutably
All static JS/CSS/font/image files MUST use content-hashed filenames (e.g., app.9c1a7b.js) and be served with "Cache-Control: public, max-age=31536000, immutable". HTML and other non-fingerprinted documents MUST be served with "Cache-Control: no-cache" (or equivalent) to enable conditional revalidation.
web-static-assetscaching-strategy+2
High
Compress text assets with Brotli/Gzip and set Vary
Serve text-based assets (JS, CSS, JSON, SVG) with Brotli (br) when the client sends "Accept-Encoding: br" and fallback to gzip. Always set "Vary: Accept-Encoding" and do NOT compress already-compressed formats (e.g., .png, .jpg, .woff2).
web-static-assetsperformance-efficiency+1
High
Immutable cache and Vary for precompressed files
Serve precompressed .br/.gz variants when the client sends Accept-Encoding, set "Vary: Accept-Encoding", and apply immutable caching for hashed assets; keep HTML revalidatable.
web-static-assetscaching-strategy+1

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

<?php header("Content-Type: text/plain"); readfile("app.js");

Prefer

<?php if (preg_match('/\\.[0-9a-f]{8,}\\./', \$file)) { header('Cache-Control: public, max-age=31536000, immutable'); } header('Content-Type: application/javascript; charset=utf-8'); readfile(\$file);

More snippets

Good

header("Cache-Control: public, max-age=31536000, immutable");

Bad

header("Content-Type: text/plain");

Related rules

From the same buckets as this rule.

Critical

Fingerprint assets and cache immutably

All static JS/CSS/font/image files MUST use content-hashed filenames (e.g., app.9c1a7b.js) and be served with "Cache-Control: public, max-age=31536000, immutable". HTML and other non-fingerprinted documents MUST be served with "Cache-Control: no-cache" (or equivalent) to enable conditional revalidation.

web-static-assetscaching-strategy+2

High

Compress text assets with Brotli/Gzip and set Vary

Serve text-based assets (JS, CSS, JSON, SVG) with Brotli (br) when the client sends "Accept-Encoding: br" and fallback to gzip. Always set "Vary: Accept-Encoding" and do NOT compress already-compressed formats (e.g., .png, .jpg, .woff2).

web-static-assetsperformance-efficiency+1

High

Immutable cache and Vary for precompressed files

Serve precompressed .br/.gz variants when the client sends Accept-Encoding, set "Vary: Accept-Encoding", and apply immutable caching for hashed assets; keep HTML revalidatable.

web-static-assetscaching-strategy+1