From 2928ddd439bdcdb90f6e918c5c60b880d3c955de Mon Sep 17 00:00:00 2001
From: TheFlow <theflow@sydigital.com>
Date: Mon, 9 Feb 2026 15:57:18 +1300
Subject: [PATCH] fix: Prevent cache-control middleware from caching API
 responses

The catch-all else clause in the cache-control middleware was overriding
the security middleware's no-cache headers for /api/ paths, setting them
to 'public, max-age=3600'. This caused browsers to cache stale API
responses, resulting in the blog page showing "0 posts found" despite
the API having data.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/server.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/server.js b/src/server.js
index 57a16c7f..f048891e 100644
--- a/src/server.js
+++ b/src/server.js
@@ -114,7 +114,13 @@ app.use((req, res, next) => {
   else if (path === '/manifest.json') {
     res.setHeader('Cache-Control', 'public, max-age=86400'); // 1 day
   }
-  // Everything else: Short cache
+  // API responses: NEVER cache (security middleware sets this too, but catch-all below would override)
+  else if (path.startsWith('/api/')) {
+    res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate');
+    res.setHeader('Pragma', 'no-cache');
+    res.setHeader('Expires', '0');
+  }
+  // Everything else (static assets without extensions): Short cache
   else {
     res.setHeader('Cache-Control', 'public, max-age=3600'); // 1 hour
   }