What is an Account-Control Surface?
Understand the account-control surface and why account protection has to cover more than the login form.
Support FAQ
Dynamic content caching answers one question: can a later request safely reuse a response generated for an earlier request?
That sounds simple, but it is where most caching mistakes happen. A public article page, product category, or logged-out homepage may be generated by a CMS and still be safe to reuse for many visitors. A checkout page, account dashboard, admin page, private API response, or cart view is dynamic in a different way. Reusing it for the wrong person would be a privacy failure, not a performance win.
The practical goal is to move repeatable work away from origin without pretending every dynamic route is public. Advanced caching gives teams controls for keys, tags, purge state, shielded misses, and evidence so those decisions can be made per route.
Traditional static caching is easy because /logo.png is usually the same for every visitor. Dynamic HTML needs more context. The cache key may include the scheme, host, path, query string, selected headers, cookies, device hints, language, currency, or another request attribute that changes the response. If two requests map to the same key, the cache can reuse the stored response. If they should not share a response, the key or rule needs to keep them apart.
This is why Vary matters. Vary: accept-encoding is normal because gzip and Brotli responses differ. Vary: user-agent can be useful when the origin genuinely serves different content, but it is often sent when the content does not actually change. That fragments the cache into many versions, lowers hit rates, and sends more traffic back to origin. A good cache policy reflects real response behaviour, not whatever headers the application happens to emit.
| Route or response type | Usual cache stance | Reason |
|---|---|---|
| Public articles, catalogue pages, landing pages | Cache with tags and purge controls | Same content is reused often and origin generation is avoidable. |
| Regional or language variants | Cache with explicit key inputs | Responses can be reused inside the right segment. |
| Search or inventory API reads | Short TTL or carefully keyed cache | Useful when freshness and query shape are understood. |
| Login, checkout, account, admin, private API routes | Bypass shared cache | Responses are user-specific or security-sensitive. |
Responses with Set-Cookie or Cache-Control: private |
Treat as private unless a rule proves otherwise | These are strong signals that reuse may be unsafe. |
Caching dynamic pages always carries a freshness tradeoff. A short TTL keeps stale content from living long, but it also means busy pages fall back to origin more often. Long TTLs give strong hit rates, but only if the site can purge accurately when content changes.
Cache tags solve that publishing problem better than clearing the whole cache. A WordPress article, product, category, homepage module, and author archive can all carry different tags. When the article changes, the cache can purge the affected tags instead of forcing every page back to origin. Peakhour's WordPress plugin uses automatic cache tags so publishing updates can refresh the right content without turning routine edits into a full-cache invalidation.
For ecommerce and CMS sites, this is where dynamic caching becomes operational. Catalogue and content pages can stay fast at the edge. Checkout, account, and admin routes stay private. Purges are tied to content changes rather than guesswork.
A cache miss is not only slower for the visitor. On a busy site it can multiply origin work. If an expired product page is requested from many edge locations at once, each POP may try to rebuild the same response unless there is a shield layer.
Origin Shield routes misses through a nominated POP near the origin so the shield can act as the upstream cache. Request collapsing goes further: when multiple requests miss for the same cache key, one origin request can be used to satisfy the waiting clients. If the origin response turns out to be private, for example because it has Set-Cookie or Cache-Control: private, the requests should not be reused.
The result is not "cache everything". It is fewer duplicated origin fetches for responses that are known to be shareable.
Dynamic caching needs evidence because small rule changes can have large effects. Cache-Status is useful because it can show whether a response was a hit, why it was forwarded, the remaining TTL, whether it was stored, which key was used, and whether a miss was collapsed. Peakhour can expose this through debug headers and analytics, alongside hit ratio, miss causes, latency, purge state, and origin fetches.
The review loop should be plain. Pick a route, decide who can share the response, set the key and freshness policy, publish or purge content, then test the same path as a logged-out visitor, logged-in user, buyer, admin, and API client where relevant. A safe dynamic cache is one that makes public repeat traffic faster while keeping private routes private and origin load visible.
Understand the account-control surface and why account protection has to cover more than the login form.
Learn about account takeover threats, protection strategies, and detection methods to secure your digital accounts and prevent unauthorised access.
An overview of Account Takeover Attacks
A practical reference for common AI crawler user agents, operators, purposes, and recommended Peakhour bot-management actions.
AI For Cybersecurity explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
AI Image Generation explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
© PEAKHOUR.IO PTY LTD 2026 ABN 76 619 930 826 All rights reserved.