James, On 6/11/21 8:28 PM, James Brown wrote:
Is there any reason (performance or otherwise) to use http-response instead of just turning everything into http-after-response?
There is a difference: If a http-response rule fails [1] then a standard error page will be emitted. For this error page the http-after-response rules will need be evaluated. They might fail as well, aborting the processing and causing a very simple 500 Internal Server Error to be emitted. This will suppress any other error (e.g. 503, 403, …).
So complex http-after-response rules might cause additional (debugging) issues in error situations.
I recommend using them for the most essential stuff only. In my case that is the Strict-Transport-Security header and a request ID response header.
Best regards Tim Düsterhus [1] e.g. if there's insufficient memory to add the header.