Document Cache Response Header
document-cache-response-header
info
experience: documentationexperience: reliabilityexperience: performance
spec: responsesspec: headers
topic: caching
Cache usage in responses SHOULD be documented in Cache-Control and/or Expires. {{error}}
Cache usage SHOULD be extensively detailed in the description property to avoid data leaks or the usage of stale data. This rule should ensure in some way that the api provider documented extensively the cache usage to avoid data leaks or usage of stale data. For now this ruleset tests: * the presence of following keywords in the description: max-age, private, no-store, no-cache. * that one and only one between Expires and Cache-Control is used. Cache-Control and Expires should not be used in conjuction, because Cache-Control overrides Expires when max-age is set. Instead if neither Cache-Control or Expires are set, clients MAY use euristic cache like described in RFC7234.
Rule definition
The full Spotlight rule — drop it into a ruleset (.spotlight.yaml / .spectral.yaml) and run it with any Spotlight tool.
document-cache-response-header:
title: Document Cache Response Header
reference: https://spotlight-rules.com/spec/rules/openapi/document-cache-response-header/
description: "Cache usage SHOULD be extensively detailed in the `description`
property to avoid data leaks or the usage of stale data. This rule should
ensure in some way that the api provider documented extensively the cache
usage to avoid data leaks or usage of stale data. For now this ruleset
tests: * the presence of following keywords in the `description`: `max-age`,
`private`, `no-store`, `no-cache`. * that one and only one between Expires
and Cache-Control is used. `Cache-Control` and `Expires` should not be used
in conjuction, because `Cache-Control` overrides `Expires` when `max-age` is
set. Instead if neither `Cache-Control` or `Expires` are set, clients MAY
use euristic cache like described in RFC7234."
message: Cache usage in responses SHOULD be documented in Cache-Control and/or
Expires. {{error}}
severity: info
given: $.[responses][?(@property[0] == "2"
)][headers].[?(@property.match(/Cache-Control|Expires/i))]]
then:
- field: description
function: truthy
- field: description
function: pattern
functionOptions:
match: .*(max-age|private|no-store|no-cache).*
formats:
- oas3
tags:
- format:openapi
- spec:responses
- spec:headers
- topic:caching
- experience:documentation
- experience:reliability
- experience:performance
prompt: "You are editing an OpenAPI document to satisfy the Spotlight API
governance rule 'document-cache-response-header' (Document Cache Response
Header). Requirement: Cache usage SHOULD be extensively detailed in the
`description` property to avoid data leaks or the usage of stale data. This
rule should ensure in some way that the api provider documented extensively
the cache usage to avoid data leaks or usage of stale data. For now this
ruleset tests: * the presence of following keywords in the `description`:
`max-age`, `private`, `no-store`, `no-cache`. * that one and only one
between Expires and Cache-Control is used. `Cache-Control` and `Expires`
should not be used in conjuction, because `Cache-Control` overrides
`Expires` when `max-age` is set. Instead if neither `Cache-Control` or
`Expires` are set, clients MAY use euristic cache like described in RFC7234.
To fix: Ensure `description` is present and non-empty at each matching
location. Also: Ensure `description` matches the regular expression
`.*(max-age|private|no-store|no-cache).*`; rewrite any value that does not.
This rule is evaluated at the JSONPath `$.[responses][?(@property[0] ==
\"2\" )][headers].[?(@property.match(/Cache-Control|Expires/i))]]` — inspect
every location it matches and correct only what violates the rule. Make the
smallest change that satisfies the rule, leave all unrelated content, key
order, comments, and formatting unchanged, and keep the document valid
OpenAPI. Return only the complete corrected document, with no commentary."
AI fix prompt — send this to Claude, Gemini, or ChatGPT with your artifact to auto-fix this rule
You are editing an OpenAPI document to satisfy the Spotlight API governance rule 'document-cache-response-header' (Document Cache Response Header). Requirement: Cache usage SHOULD be extensively detailed in the `description` property to avoid data leaks or the usage of stale data. This rule should ensure in some way that the api provider documented extensively the cache usage to avoid data leaks or usage of stale data. For now this ruleset tests: * the presence of following keywords in the `description`: `max-age`, `private`, `no-store`, `no-cache`. * that one and only one between Expires and Cache-Control is used. `Cache-Control` and `Expires` should not be used in conjuction, because `Cache-Control` overrides `Expires` when `max-age` is set. Instead if neither `Cache-Control` or `Expires` are set, clients MAY use euristic cache like described in RFC7234. To fix: Ensure `description` is present and non-empty at each matching location. Also: Ensure `description` matches the regular expression `.*(max-age|private|no-store|no-cache).*`; rewrite any value that does not. This rule is evaluated at the JSONPath `$.[responses][?(@property[0] == "2" )][headers].[?(@property.match(/Cache-Control|Expires/i))]]` — inspect every location it matches and correct only what violates the rule. Make the smallest change that satisfies the rule, leave all unrelated content, key order, comments, and formatting unchanged, and keep the document valid OpenAPI. Return only the complete corrected document, with no commentary.| Artifact | OpenAPI |
|---|---|
| Applies at (given) | $.[responses][?(@property[0] == "2" )][headers].[?(@property.match(/Cache-Control|Expires/i))]] |
| Severity | info — educational by default; raise to warn/error to enforce |
| Reference | https://spotlight-rules.com/spec/rules/openapi/document-cache-response-header/ |