[spiznnx]

with spammed curl -i, I get

  Too many requests, please try again later.HTTP/2 429 
  date: Wed, 14 Aug 2024 22:09:40 GMT
  content-type: text/html;charset=UTF-8
  expires: Thu, 19 Nov 1981 08:52:00 GMT
  cache-control: no-store, no-cache, must-revalidate
  pragma: no-cache
  retry-after: 3600
  vary: Accept-Encoding
  set-cookie: PHPSESSID=b25ece07c8923fa6b66b14599e1ed545; path=/
  cf-cache-status: DYNAMIC
  report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z4hhYJcawKduyEdIbsTqPNE6k1o7YSkmMFlcDvDfe%2BvU7V8B%2FFJj4mItPssnI96kp1Ot%2B7jadmhYVWC%2BpAKG4zrqN%2FG6cY7KXDJJtFH2gQwQCNwGfS6Rbsu4xOCnMhoyT7U%3D"}],"group":"cf-nel","max_age":604800}
  nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
  server: cloudflare
  cf-ray: 8b3445445e51f93d-SJC

Expires header in the past seems suspect. And all the header names are lowercased.

[jkrejcha]

It's usually used to prevent caching from older caching systems.

Fun fact: this specific value of Expires is the birthday of Sasha Schumann, the person who added this code to PHP[1][2].

[1]: https://stackoverflow.com/a/8194500/2805120

[2]: https://github.com/php/php-src/blob/master/ext/session/sessi...

[nsheridan]

Expires header in the past is typically used to prevent caching.

The lower-case headers is part of the http2 specification.

[niloc132]

Lower case headers are required for http/2 requests and responses.