CriticalFile-scope Plug & play

Fingerprint assets and cache immutably

All static JS/CSS/font/image files MUST use content-hashed filenames (e.g., app.9c1a7b.js) and be served with "Cache-Control: public, max-age=31536000, immutable". HTML and other non-fingerprinted documents MUST be served with "Cache-Control: no-cache" (or equivalent) to enable conditional revalidation.

Add to Mesrai Open workspace

Why this matters

Hashed filenames guarantee cache-busting on deploys and enable safe year-long immutable caching for fast repeat loads.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

GET /assets/app.js
200 OK
Cache-Control: max-age=600

/* filename without hash; short-lived cache /

Prefer

GET /assets/app.9c1a7b.js
200 OK
Cache-Control: public, max-age=31536000, immutable

/ hashed filename; immutable caching /

More snippets

Good

Cache-Control: public, max-age=31536000, immutable

Bad

Cache-Control: max-age=600

Related rules

From the same buckets as this rule.

High
Compress text assets with Brotli/Gzip and set Vary
Serve text-based assets (JS, CSS, JSON, SVG) with Brotli (br) when the client sends "Accept-Encoding: br" and fallback to gzip. Always set "Vary: Accept-Encoding" and do NOT compress already-compressed formats (e.g., .png, .jpg, .woff2).
web-static-assetsperformance-efficiency+1
High
Immutable cache and Vary for precompressed files
Serve precompressed .br/.gz variants when the client sends Accept-Encoding, set "Vary: Accept-Encoding", and apply immutable caching for hashed assets; keep HTML revalidatable.
web-static-assetscaching-strategy+1
High
Immutable cache for hashed assets, no-cache for HTML
In Express, use serve-static with setHeaders to apply "Cache-Control: public, max-age=31536000, immutable" for files matching /\.[0-9a-f]{8,}\./ and "Cache-Control: no-cache" for HTML. Also set correct Content-Type.
web-static-assetscaching-strategy+1

Fingerprint assets and cache immutably

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

GET /assets/app.js
200 OK
Cache-Control: max-age=600

/* filename without hash; short-lived cache /

Prefer

GET /assets/app.9c1a7b.js
200 OK
Cache-Control: public, max-age=31536000, immutable

/ hashed filename; immutable caching /

More snippets

Good

Cache-Control: public, max-age=31536000, immutable

Bad

Cache-Control: max-age=600

Related rules

From the same buckets as this rule.

High

Compress text assets with Brotli/Gzip and set Vary

Serve text-based assets (JS, CSS, JSON, SVG) with Brotli (br) when the client sends "Accept-Encoding: br" and fallback to gzip. Always set "Vary: Accept-Encoding" and do NOT compress already-compressed formats (e.g., .png, .jpg, .woff2).

web-static-assetsperformance-efficiency+1

High

Immutable cache and Vary for precompressed files

Serve precompressed .br/.gz variants when the client sends Accept-Encoding, set "Vary: Accept-Encoding", and apply immutable caching for hashed assets; keep HTML revalidatable.

web-static-assetscaching-strategy+1

High

Immutable cache for hashed assets, no-cache for HTML

In Express, use serve-static with setHeaders to apply "Cache-Control: public, max-age=31536000, immutable" for files matching /\.[0-9a-f]{8,}\./ and "Cache-Control: no-cache" for HTML. Also set correct Content-Type.

web-static-assetscaching-strategy+1