Caching Strategy rules

All static JS/CSS/font/image files MUST use content-hashed filenames (e.g., app.9c1a7b.js) and be served with "Cache-Control: public, max-age=31536000, immutable". HTML and other non-fingerprinted documents MUST be served with "Cache-Control: no-cache" (or equivalent) to enable conditional revalidation.

Provide a single idempotency-keyed erasure workflow that scrubs PII in primary DB, caches, search indices, and object storage; emit an audit event with erasure_request_id. (GDPR Art. 17)

Serve text-based assets (JS, CSS, JSON, SVG) with Brotli (br) when the client sends "Accept-Encoding: br" and fallback to gzip. Always set "Vary: Accept-Encoding" and do NOT compress already-compressed formats (e.g., .png, .jpg, .woff2).

Serve precompressed .br/.gz variants when the client sends Accept-Encoding, set "Vary: Accept-Encoding", and apply immutable caching for hashed assets; keep HTML revalidatable.

In Express, use serve-static with setHeaders to apply "Cache-Control: public, max-age=31536000, immutable" for files matching /\.[0-9a-f]{8,}\./ and "Cache-Control: no-cache" for HTML. Also set correct Content-Type.

For dynamic data use { cache: 'no-store' } or file-level dynamic = 'force-dynamic'. For ISR use { next: { revalidate: N, tags: [...] } }.

All cache entries containing PII must set an explicit TTL aligned to the retention policy (e.g., 24h). No indefinite storage of personal data in Redis or in-memory caches.

After server-side mutations, call revalidatePath or revalidateTag to refresh cached RSC data.

Enable content versioning and long-lived caching via ResourceChain with VersionResourceResolver and set Cache-Control to public, max-age=31536000 for static locations; keep HTML templates non-immutable.

In Kotlin Ktor, install CachingHeaders and Compression. Set immutable caching for hashed resources and no-cache for HTML; include "Vary: Accept-Encoding".

Cache frequently used, rarely changing query results in memory or an external cache with appropriate TTL/invalidations.

Memoize expensive results (regex, serializers, tokens) and refresh on expiry using a thread-safe cache.

Generate cache/Redis keys through a single utility with clear namespaces and versioning.

For PHP-served assets, emit the precise Content-Type (e.g., text/css; charset=utf-8, application/javascript, font/woff2) and set immutable caching for hashed files; never apply immutable caching to HTML.

Set HTTP headers for payment entry points and CHD-adjacent responses to prevent storage: Cache-Control: no-store, Pragma: no-cache, and appropriate privacy headers. Ensure intermediaries cannot cache PAN-related flows.

For Go static servers, set immutable Cache-Control for hashed files; otherwise set "Cache-Control: no-cache" and support conditional GET via ETag or Last-Modified using file info.

Cache expensive pure results using memoization (`||=`) or request-scoped caches.

For simple form submissions from RSC, use server actions with schema validation and then revalidate paths/tags. Avoid client fetch for trivial mutations.

Configure UseStaticFiles with OnPrepareResponse to set "Cache-Control: public, max-age=31536000, immutable" for hashed assets and "no-cache" for HTML; ensure correct Content-Type (e.g., "font/woff2", "text/css").

Protect one-time initializations with Mutex or atomic operations (computeIfAbsent/compareAndSet).

When statically prebuilding dynamic segments, implement generateStaticParams and validate params; fall back to notFound() for invalid slugs.