@travetto/web 6.0.0 → 6.0.2

package/README.md

@@ -68,6 +68,8 @@ import { BaseWebMessage } from './message.ts';
 
 export interface WebResponseContext {
   httpStatusCode?: number;
+  isPrivate?: boolean;
+  cacheableAge?: number;
 }
 
 /**
@@ -86,7 +88,7 @@ export class WebResponse<B = unknown> extends BaseWebMessage<B, WebResponseConte
 }
 ```
 
-These objects do not represent the underlying sockets provided by various http servers, but in fact are simple wrappers that track the flow through the call stack of the various [WebInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/types/interceptor.ts#L15)s and the [Endpoint](https://github.com/travetto/travetto/tree/main/module/web/src/decorator/endpoint.ts#L14) handler.  One of the biggest departures here, is that the response is not an entity that is passed around from call-site to call-site, but is is solely a return-value.  This doesn't mean the return value has to be static and pre-allocated, on the contrary streams are still supported.  The difference here is that the streams/asynchronous values will be consumed until the response is sent back to the user. The [CompressInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/compress.ts#L50) is a good reference for transforming a [WebResponse](https://github.com/travetto/travetto/tree/main/module/web/src/types/response.ts#L3) that can either be a stream or a fixed value.
+These objects do not represent the underlying sockets provided by various http servers, but in fact are simple wrappers that track the flow through the call stack of the various [WebInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/types/interceptor.ts#L15)s and the [Endpoint](https://github.com/travetto/travetto/tree/main/module/web/src/decorator/endpoint.ts#L14) handler.  One of the biggest departures here, is that the response is not an entity that is passed around from call-site to call-site, but is is solely a return-value.  This doesn't mean the return value has to be static and pre-allocated, on the contrary streams are still supported.  The difference here is that the streams/asynchronous values will be consumed until the response is sent back to the user. The [CompressInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/compress.ts#L44) is a good reference for transforming a [WebResponse](https://github.com/travetto/travetto/tree/main/module/web/src/types/response.ts#L3) that can either be a stream or a fixed value.
 
 ## Defining a Controller
 To start, we must define a [@Controller](https://github.com/travetto/travetto/tree/main/module/web/src/decorator/controller.ts#L9), which is only allowed on classes. Controllers can be configured with:
@@ -112,13 +114,13 @@ class SimpleController {
 Once the controller is declared, each method of the controller is a candidate for being an endpoint.  By design, everything is asynchronous, and so async/await is natively supported. 
 
 The most common pattern is to register HTTP-driven endpoints.  The HTTP methods that are currently supported:
-   *  [@Get](https://github.com/travetto/travetto/tree/main/module/web/src/decorator/endpoint.ts#L43)
-   *  [@Post](https://github.com/travetto/travetto/tree/main/module/web/src/decorator/endpoint.ts#L50)
-   *  [@Put](https://github.com/travetto/travetto/tree/main/module/web/src/decorator/endpoint.ts#L57)
-   *  [@Delete](https://github.com/travetto/travetto/tree/main/module/web/src/decorator/endpoint.ts#L70)
-   *  [@Patch](https://github.com/travetto/travetto/tree/main/module/web/src/decorator/endpoint.ts#L64)
-   *  [@Head](https://github.com/travetto/travetto/tree/main/module/web/src/decorator/endpoint.ts#L76)
-   *  [@Options](https://github.com/travetto/travetto/tree/main/module/web/src/decorator/endpoint.ts#L82)
+   *  [@Get](https://github.com/travetto/travetto/tree/main/module/web/src/decorator/endpoint.ts#L42)
+   *  [@Post](https://github.com/travetto/travetto/tree/main/module/web/src/decorator/endpoint.ts#L49)
+   *  [@Put](https://github.com/travetto/travetto/tree/main/module/web/src/decorator/endpoint.ts#L56)
+   *  [@Delete](https://github.com/travetto/travetto/tree/main/module/web/src/decorator/endpoint.ts#L69)
+   *  [@Patch](https://github.com/travetto/travetto/tree/main/module/web/src/decorator/endpoint.ts#L63)
+   *  [@Head](https://github.com/travetto/travetto/tree/main/module/web/src/decorator/endpoint.ts#L75)
+   *  [@Options](https://github.com/travetto/travetto/tree/main/module/web/src/decorator/endpoint.ts#L81)
 
 Similar to the Controller, each endpoint decorator handles the following config:
    *  `title` - The definition of the endpoint
@@ -249,7 +251,7 @@ class ContextController {
 }
 ```
 
-**Note**: When referencing the [@ContextParam](https://github.com/travetto/travetto/tree/main/module/web/src/decorator/param.ts#L61) values, the contract for idempotency needs to be carefully inspected, if expected. You can see in the example above that the [CacheControl](https://github.com/travetto/travetto/tree/main/module/web/src/decorator/common.ts#L55) decorator is used to ensure that the response is not cached.
+**Note**: When referencing the [@ContextParam](https://github.com/travetto/travetto/tree/main/module/web/src/decorator/param.ts#L61) values, the contract for idempotency needs to be carefully inspected, if expected. You can see in the example above that the [CacheControl](https://github.com/travetto/travetto/tree/main/module/web/src/decorator/common.ts#L48) decorator is used to ensure that the response is not cached.
 
 ### Validating Inputs
 The module provides high level access for [Schema](https://github.com/travetto/travetto/tree/main/module/schema#readme "Data type registry for runtime validation, reflection and binding.") support, via decorators, for validating and typing request inputs. 
@@ -376,8 +378,8 @@ Out of the box, the web framework comes with a few interceptors, and more are co
    1. global - Intended to run outside of the request flow - [AsyncContextInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/context.ts#L13)
    1. terminal - Handles once request and response are finished building - [LoggingInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/logging.ts#L28), [RespondInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/respond.ts#L12)
    1. pre-request - Prepares the request for running - [TrustProxyInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/trust-proxy.ts#L23)
-   1. request - Handles inbound request, validation, and body preparation - [DecompressInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/decompress.ts#L53), [AcceptInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/accept.ts#L34), [BodyInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/body.ts#L57), [CookieInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/cookie.ts#L60) 
-   1. response - Prepares outbound response - [CompressInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/compress.ts#L50), [CorsInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/cors.ts#L51), [EtagInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/etag.ts#L34), [ResponseCacheInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/response-cache.ts#L30) 
+   1. request - Handles inbound request, validation, and body preparation - [DecompressInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/decompress.ts#L53), [AcceptInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/accept.ts#L33), [BodyInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/body.ts#L58), [CookieInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/cookie.ts#L60) 
+   1. response - Prepares outbound response - [CompressInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/compress.ts#L44), [CorsInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/cors.ts#L51), [EtagInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/etag.ts#L43), [CacheControlInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/cache-control.ts#L23) 
    1. application - Lives outside of the general request/response behavior, [Web Auth](https://github.com/travetto/travetto/tree/main/module/auth-web#readme "Web authentication integration support for the Travetto framework") uses this for login and logout flows.
 
 ### Packaged Interceptors
@@ -423,7 +425,7 @@ export class TrustProxyConfig {
 ```
 
 #### AcceptInterceptor
-[AcceptInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/accept.ts#L34) handles verifying the inbound request matches the allowed content-types. This acts as a standard gate-keeper for spurious input.
+[AcceptInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/accept.ts#L33) handles verifying the inbound request matches the allowed content-types. This acts as a standard gate-keeper for spurious input.
 
 **Code: Accept Config**
 ```typescript
@@ -476,7 +478,7 @@ export class CookieConfig implements CookieSetOptions {
   /**
    * Supported only via http (not in JS)
    */
-  httpOnly = true;
+  httponly = true;
   /**
    * Enforce same site policy
    */
@@ -502,7 +504,7 @@ export class CookieConfig implements CookieSetOptions {
 ```
 
 #### BodyInterceptor
-[BodyInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/body.ts#L57) handles the inbound request, and converting the body payload into an appropriate format.
+[BodyInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/body.ts#L58) handles the inbound request, and converting the body payload into an appropriate format.
 
 **Code: Body Config**
 ```typescript
@@ -514,7 +516,7 @@ export class WebBodyConfig {
   /**
    * Max body size limit
    */
-  limit: `${number}${'mb' | 'kb' | 'gb' | 'b' | ''}` = '1mb';
+  limit: ByteSizeInput = '1mb';
   /**
    * How to interpret different content types
    */
@@ -530,7 +532,7 @@ export class WebBodyConfig {
 ```
 
 #### CompressInterceptor
-[CompressInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/compress.ts#L50) by default, will compress all valid outbound responses over a certain size, or for streams will cache every response. This relies on Node's [Buffer](https://nodejs.org/api/zlib.html) support for compression.
+[CompressInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/compress.ts#L44) by default, will compress all valid outbound responses over a certain size, or for streams will cache every response. This relies on Node's [Buffer](https://nodejs.org/api/zlib.html) support for compression.
 
 **Code: Compress Config**
 ```typescript
@@ -543,10 +545,6 @@ export class CompressConfig {
    * Raw encoding options
    */
   raw?: (ZlibOptions & BrotliOptions) | undefined;
-  /**
-   * Preferred encodings
-   */
-  preferredEncodings?: WebCompressEncoding[] = ['br', 'gzip', 'identity'];
   /**
    * Supported encodings
    */
@@ -555,7 +553,7 @@ export class CompressConfig {
 ```
 
 #### EtagInterceptor
-[EtagInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/etag.ts#L34) by default, will tag all cacheable HTTP responses, when the response value/length is known.  Streams, and other async data sources do not have a pre-defined length, and so are ineligible for etagging.
+[EtagInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/etag.ts#L43) by default, will tag all cacheable HTTP responses, when the response value/length is known.  Streams, and other async data sources do not have a pre-defined length, and so are ineligible for etagging.
 
 **Code: ETag Config**
 ```typescript
@@ -568,9 +566,16 @@ export class EtagConfig {
    * Should we generate a weak etag
    */
   weak?: boolean;
+  /**
+   * Threshold for tagging avoids tagging small responses
+   */
+  minimumSize: ByteSizeInput = '10kb';
 
   @Ignore()
   cacheable?: boolean;
+
+  @Ignore()
+  _minimumSize: number | undefined;
 }
 ```
 
@@ -611,8 +616,12 @@ export class CorsConfig {
 }
 ```
 
-#### ResponseCacheInterceptor
-[ResponseCacheInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/response-cache.ts#L30) by default, disables caching for all GET requests if the response does not include caching headers.  This can be managed by setting `web.getCache.applies: <boolean>` in your config.  This interceptor applies by default.
+#### CacheControlInterceptor
+[CacheControlInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/cache-control.ts#L23) by default, enforces whatever caching policy is established on a given endpoint using the [CacheControl](https://github.com/travetto/travetto/tree/main/module/web/src/decorator/common.ts#L48) decorator.   Additionally, the interceptor retains knowledge if it is running on a private endpoint, or not.  If the endpoint is deemed private it affects the caching header accordingly. If the endpoint directly returns a `Cache-Control` header, that takes precedence and all other logic is ignored. 
+
+This can be managed by setting `web.cache.applies: <boolean>` in your config. 
+
+**Note**: The [Web Auth](https://github.com/travetto/travetto/tree/main/module/auth-web#readme "Web authentication integration support for the Travetto framework") module will mark endpoints as private if they require authentication.
 
 ### Configuring Interceptors
 All framework-provided interceptors, follow the same patterns for general configuration.  This falls into three areas:
@@ -726,14 +735,11 @@ export class SimpleAuthInterceptor implements WebInterceptor {
 ```
 
 ## Cookie Support
-Cookies are a unique element, within the framework, as they sit on the request and response flows.  Ideally we would separate these out, but given the support for key rotation, there is a scenario in which reading a cookie on the request, will result in a cookie needing to be written on the response.  Because of this, cookies are treated as being outside the normal [WebRequest](https://github.com/travetto/travetto/tree/main/module/web/src/types/request.ts#L11) activity, and is exposed as the [@ContextParam](https://github.com/travetto/travetto/tree/main/module/web/src/decorator/param.ts#L61) [CookieJar](https://github.com/travetto/travetto/tree/main/module/web/src/util/cookie.ts#L11).  The [CookieJar](https://github.com/travetto/travetto/tree/main/module/web/src/util/cookie.ts#L11) has a fairly basic contract:
+Cookies are a unique element, within the framework, as they sit on the request and response flows.  Ideally we would separate these out, but given the support for key rotation, there is a scenario in which reading a cookie on the request, will result in a cookie needing to be written on the response.  Because of this, cookies are treated as being outside the normal [WebRequest](https://github.com/travetto/travetto/tree/main/module/web/src/types/request.ts#L11) activity, and is exposed as the [@ContextParam](https://github.com/travetto/travetto/tree/main/module/web/src/decorator/param.ts#L61) [CookieJar](https://github.com/travetto/travetto/tree/main/module/web/src/util/cookie.ts#L12).  The [CookieJar](https://github.com/travetto/travetto/tree/main/module/web/src/util/cookie.ts#L12) has a fairly basic contract:
 
 **Code: CookieJar contract**
 ```typescript
 export class CookieJar {
-  static parseCookieHeader(header: string): Cookie[];
-  static parseSetCookieHeader(header: string): Cookie;
-  static responseSuffix(c: Cookie): string[];
   constructor({ keys, ...options }: CookieJarOptions = {});
   import(cookies: Cookie[]): this;
   has(name: string, opts: CookieGetOptions = {}): boolean;

package/__index__.ts

@@ -31,14 +31,15 @@ export * from './src/interceptor/compress.ts';
 export * from './src/interceptor/context.ts';
 export * from './src/interceptor/decompress.ts';
 export * from './src/interceptor/etag.ts';
-export * from './src/interceptor/response-cache.ts';
+export * from './src/interceptor/cache-control.ts';
 export * from './src/interceptor/logging.ts';
 export * from './src/interceptor/respond.ts';
 export * from './src/interceptor/trust-proxy.ts';
 
 export * from './src/util/body.ts';
 export * from './src/util/endpoint.ts';
-export * from './src/util/mime.ts';
+export * from './src/util/header.ts';
 export * from './src/util/cookie.ts';
 export * from './src/util/common.ts';
+export * from './src/util/keygrip.ts';
 export * from './src/util/net.ts';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@travetto/web",
-  "version": "6.0.0",
+  "version": "6.0.2",
   "description": "Declarative support creating for Web Applications",
   "keywords": [
     "web",
@@ -31,17 +31,11 @@
     "@travetto/registry": "^6.0.0",
     "@travetto/runtime": "^6.0.0",
     "@travetto/schema": "^6.0.0",
-    "@types/fresh": "^0.5.2",
-    "@types/keygrip": "^1.0.6",
-    "@types/negotiator": "^0.6.3",
-    "find-my-way": "^9.3.0",
-    "fresh": "^0.5.2",
-    "keygrip": "^1.1.0",
-    "negotiator": "^1.0.0"
+    "find-my-way": "^9.3.0"
   },
   "peerDependencies": {
     "@travetto/cli": "^6.0.0",
-    "@travetto/test": "^6.0.0",
+    "@travetto/test": "^6.0.1",
     "@travetto/transformer": "^6.0.0"
   },
   "peerDependenciesMeta": {

package/src/decorator/common.ts

@@ -1,10 +1,9 @@
-import { asConstructable, castTo, Class, TimeSpan } from '@travetto/runtime';
+import { asConstructable, castTo, Class, TimeSpan, TimeUtil } from '@travetto/runtime';
 
 import { ControllerRegistry } from '../registry/controller.ts';
 import { EndpointConfig, ControllerConfig, DescribableConfig, EndpointDecorator, EndpointFunctionDescriptor } from '../registry/types.ts';
 import { AcceptInterceptor } from '../interceptor/accept.ts';
 import { WebInterceptor } from '../types/interceptor.ts';
-import { WebCommonUtil, CacheControlFlag } from '../util/common.ts';
 
 function register(config: Partial<EndpointConfig | ControllerConfig>): EndpointDecorator {
   return function <T>(target: T | Class<T>, property?: string, descriptor?: EndpointFunctionDescriptor) {
@@ -40,27 +39,25 @@ export function SetHeaders(headers: EndpointConfig['responseHeaders']): Endpoint
  */
 export function Produces(mime: string): EndpointDecorator { return SetHeaders({ 'Content-Type': mime }); }
 
-/**
- * Specifies if endpoint should be conditional
- */
-export function ConditionalRegister(handler: () => (boolean | Promise<boolean>)): EndpointDecorator {
-  return register({ conditional: handler });
-}
+type CacheControlInput = { cacheableAge?: number | TimeSpan, isPrivate?: boolean };
 
 /**
  * Set the max-age of a response based on the config
  * @param value The value for the duration
- * @param unit The unit of measurement
  */
-export function CacheControl(value: number | TimeSpan, flags: CacheControlFlag[] = []): EndpointDecorator {
-  return SetHeaders({ 'Cache-Control': WebCommonUtil.getCacheControlValue(value, flags) });
+export function CacheControl(input: TimeSpan | number | CacheControlInput, extra?: Omit<CacheControlInput, 'cacheableAge'>): EndpointDecorator {
+  if (typeof input === 'string' || typeof input === 'number') {
+    input = { ...extra, cacheableAge: input };
+  }
+  const { cacheableAge, isPrivate } = input;
+  return register({
+    responseContext: {
+      ...(cacheableAge !== undefined ? { cacheableAge: TimeUtil.asSeconds(cacheableAge) } : {}),
+      ...isPrivate !== undefined ? { isPrivate } : {}
+    }
+  });
 }
 
-/**
- * Disable cache control, ensuring endpoint will not cache
- */
-export const DisableCacheControl = (): EndpointDecorator => CacheControl(0);
-
 /**
  * Define an endpoint to support specific input types
  * @param types The list of mime types to allow/deny
@@ -79,6 +76,13 @@ export function Accepts(types: [string, ...string[]]): EndpointDecorator {
 export const ConfigureInterceptor =
   ControllerRegistry.createInterceptorConfigDecorator.bind(ControllerRegistry);
 
+/**
+ * Specifies if endpoint should be conditional
+ */
+export function ConditionalRegister(handler: () => (boolean | Promise<boolean>)): EndpointDecorator {
+  return register({ conditional: handler });
+}
+
 /**
  * Registers an interceptor exclusion filter
  */

package/src/decorator/endpoint.ts

@@ -20,7 +20,6 @@ export function Endpoint(config: EndpointDecConfig): EndpointFunctionDecorator {
   };
 }
 
-
 function HttpEndpoint(method: HttpMethod, path: string): EndpointFunctionDecorator {
   const { body: allowsBody, cacheable, emptyStatusCode } = HTTP_METHODS[method];
   return Endpoint({

package/src/interceptor/accept.ts

@@ -2,7 +2,6 @@ import { Injectable, Inject } from '@travetto/di';
 import { Config } from '@travetto/config';
 import { Ignore } from '@travetto/schema';
 
-import { MimeUtil } from '../util/mime.ts';
 import { WebCommonUtil } from '../util/common.ts';
 
 import { WebChainedContext } from '../types/filter.ts';
@@ -39,7 +38,7 @@ export class AcceptInterceptor implements WebInterceptor<AcceptConfig> {
   config: AcceptConfig;
 
   finalizeConfig({ config }: WebInterceptorContext<AcceptConfig>): AcceptConfig {
-    config.matcher = MimeUtil.matcher(config.types ?? []);
+    config.matcher = WebCommonUtil.mimeTypeMatcher(config.types ?? []);
     return config;
   }
 

package/src/interceptor/body.ts

@@ -9,11 +9,12 @@ import { WebInterceptorCategory } from '../types/core.ts';
 import { WebInterceptor, WebInterceptorContext } from '../types/interceptor.ts';
 
 import { WebBodyUtil } from '../util/body.ts';
-import { WebCommonUtil } from '../util/common.ts';
+import { ByteSizeInput, WebCommonUtil } from '../util/common.ts';
 
 import { AcceptInterceptor } from './accept.ts';
 import { DecompressInterceptor } from './decompress.ts';
 import { WebError } from '../types/error.ts';
+import { WebHeaderUtil } from '../util/header.ts';
 
 /**
  * @concrete
@@ -35,7 +36,7 @@ export class WebBodyConfig {
   /**
    * Max body size limit
    */
-  limit: `${number}${'mb' | 'kb' | 'gb' | 'b' | ''}` = '1mb';
+  limit: ByteSizeInput = '1mb';
   /**
    * How to interpret different content types
    */
@@ -90,12 +91,13 @@ export class BodyInterceptor implements WebInterceptor<WebBodyConfig> {
       throw WebError.for('Request entity too large', 413, { length, limit });
     }
 
-    const contentType = request.headers.getContentType();
-    if (!contentType) {
+    const contentType = WebHeaderUtil.parseHeaderSegment(request.headers.get('Content-Type'));
+    if (!contentType.value) {
       return next();
     }
 
-    const parserType = config.parsingTypes[contentType.full] ?? config.parsingTypes[contentType.type];
+    const [baseType,] = contentType.value.split('/');
+    const parserType = config.parsingTypes[contentType.value] ?? config.parsingTypes[baseType];
     if (!parserType) {
       return next();
     }

package/src/interceptor/cache-control.ts

@@ -0,0 +1,50 @@
+import { Injectable, Inject } from '@travetto/di';
+import { Config } from '@travetto/config';
+
+import { WebChainedContext } from '../types/filter.ts';
+import { WebInterceptor, WebInterceptorContext } from '../types/interceptor.ts';
+import { WebInterceptorCategory } from '../types/core.ts';
+import { WebResponse } from '../types/response.ts';
+
+import { EtagInterceptor } from './etag.ts';
+
+@Config('web.cache')
+export class CacheControlConfig {
+  /**
+   * Generate response cache headers
+   */
+  applies = true;
+}
+
+/**
+ * Determines if we should cache all get requests
+ */
+@Injectable()
+export class CacheControlInterceptor implements WebInterceptor {
+
+  category: WebInterceptorCategory = 'response';
+  dependsOn = [EtagInterceptor];
+
+  @Inject()
+  config: CacheControlConfig;
+
+  applies({ config, endpoint }: WebInterceptorContext<CacheControlConfig>): boolean {
+    return config.applies && endpoint.cacheable;
+  }
+
+  async filter({ next }: WebChainedContext<CacheControlConfig>): Promise<WebResponse> {
+    const response = await next();
+    if (!response.headers.has('Cache-Control')) {
+      const parts: string[] = [response.context.isPrivate ? 'private' : 'public'];
+      const age = response.context.cacheableAge ?? (response.context.isPrivate ? 0 : undefined);
+      if (age !== undefined) {
+        if (age <= 0) {
+          parts.push('no-store');
+        }
+        parts.push(`max-age=${Math.max(age, 0)}`);
+      }
+      response.headers.set('Cache-Control', parts.join(','));
+    }
+    return response;
+  }
+}

package/src/interceptor/compress.ts

@@ -1,20 +1,18 @@
 import { buffer } from 'node:stream/consumers';
 import { BrotliOptions, constants, createBrotliCompress, createDeflate, createGzip, ZlibOptions } from 'node:zlib';
 
-// eslint-disable-next-line @typescript-eslint/naming-convention
-import Negotiator from 'negotiator';
-
 import { Injectable, Inject } from '@travetto/di';
 import { Config } from '@travetto/config';
-import { castTo } from '@travetto/runtime';
 
 import { WebInterceptor, WebInterceptorContext } from '../types/interceptor.ts';
 import { WebInterceptorCategory } from '../types/core.ts';
 import { WebChainedContext } from '../types/filter.ts';
 import { WebResponse } from '../types/response.ts';
-import { WebBodyUtil } from '../util/body.ts';
 import { WebError } from '../types/error.ts';
 
+import { WebBodyUtil } from '../util/body.ts';
+import { WebHeaderUtil } from '../util/header.ts';
+
 const COMPRESSORS = {
   gzip: createGzip,
   deflate: createDeflate,
@@ -33,10 +31,6 @@ export class CompressConfig {
    * Raw encoding options
    */
   raw?: (ZlibOptions & BrotliOptions) | undefined;
-  /**
-   * Preferred encodings
-   */
-  preferredEncodings?: WebCompressEncoding[] = ['br', 'gzip', 'identity'];
   /**
    * Supported encodings
    */
@@ -55,10 +49,10 @@ export class CompressInterceptor implements WebInterceptor {
   config: CompressConfig;
 
   async compress(ctx: WebChainedContext, response: WebResponse): Promise<WebResponse> {
-    const { raw = {}, preferredEncodings = [], supportedEncodings } = this.config;
+    const { raw = {}, supportedEncodings } = this.config;
     const { request } = ctx;
 
-    response.headers.vary('Accept-Encoding');
+    response.headers.append('Vary', 'Accept-Encoding');
 
     if (
       !response.body ||
@@ -69,15 +63,13 @@ export class CompressInterceptor implements WebInterceptor {
     }
 
     const accepts = request.headers.get('Accept-Encoding');
-    const type: WebCompressEncoding | undefined =
-      castTo(new Negotiator({ headers: { 'accept-encoding': accepts ?? '*' } })
-        .encoding([...supportedEncodings, ...preferredEncodings]));
+    const type = WebHeaderUtil.negotiateHeader(accepts ?? '*', supportedEncodings);
 
-    if (accepts && (!type || !accepts.includes(type))) {
+    if (!type) {
       throw WebError.for(`Please accept one of: ${supportedEncodings.join(', ')}. ${accepts} is not supported`, 406);
     }
 
-    if (type === 'identity' || !type) {
+    if (type === 'identity') {
       return response;
     }
 

package/src/interceptor/cookie.ts

@@ -29,7 +29,7 @@ export class CookieConfig implements CookieSetOptions {
   /**
    * Supported only via http (not in JS)
    */
-  httpOnly = true;
+  httponly = true;
   /**
    * Enforce same site policy
    */

package/src/interceptor/etag.ts

@@ -1,9 +1,9 @@
 import crypto from 'node:crypto';
-import fresh from 'fresh';
 
 import { Injectable, Inject } from '@travetto/di';
 import { Config } from '@travetto/config';
 import { Ignore } from '@travetto/schema';
+import { BinaryUtil } from '@travetto/runtime';
 
 import { WebChainedContext } from '../types/filter.ts';
 import { WebResponse } from '../types/response.ts';
@@ -11,6 +11,8 @@ import { WebInterceptor, WebInterceptorContext } from '../types/interceptor.ts';
 import { WebInterceptorCategory } from '../types/core.ts';
 import { CompressInterceptor } from './compress.ts';
 import { WebBodyUtil } from '../util/body.ts';
+import { ByteSizeInput, WebCommonUtil } from '../util/common.ts';
+import { WebHeaderUtil } from '../util/header.ts';
 
 @Config('web.etag')
 export class EtagConfig {
@@ -22,9 +24,16 @@ export class EtagConfig {
    * Should we generate a weak etag
    */
   weak?: boolean;
+  /**
+   * Threshold for tagging avoids tagging small responses
+   */
+  minimumSize: ByteSizeInput = '10kb';
 
   @Ignore()
   cacheable?: boolean;
+
+  @Ignore()
+  _minimumSize: number | undefined;
 }
 
 /**
@@ -52,31 +61,37 @@ export class EtagInterceptor implements WebInterceptor {
   addTag(ctx: WebChainedContext<EtagConfig>, response: WebResponse): WebResponse {
     const { request } = ctx;
 
-    const statusCode = response.context.httpStatusCode;
+    const statusCode = response.context.httpStatusCode ?? 200;
 
-    if (statusCode && (statusCode >= 300 && statusCode !== 304)) {
+    if (
+      (statusCode >= 300 && statusCode !== 304) || // Ignore redirects
+      BinaryUtil.isReadableStream(response.body) // Ignore streams (unknown length)
+    ) {
       return response;
     }
 
     const binaryResponse = new WebResponse({ ...response, ...WebBodyUtil.toBinaryMessage(response) });
-    if (!Buffer.isBuffer(binaryResponse.body)) {
+
+    const body = binaryResponse.body;
+    if (!Buffer.isBuffer(body)) {
       return binaryResponse;
     }
 
-    const tag = this.computeTag(binaryResponse.body);
+    const minSize = ctx.config._minimumSize ??= WebCommonUtil.parseByteSize(ctx.config.minimumSize);
+    if (body.length < minSize) {
+      return binaryResponse;
+    }
+
+    const tag = this.computeTag(body);
     binaryResponse.headers.set('ETag', `${ctx.config.weak ? 'W/' : ''}"${tag}"`);
 
-    if (ctx.config.cacheable &&
-      fresh({
-        'if-modified-since': request.headers.get('If-Modified-Since')!,
-        'if-none-match': request.headers.get('If-None-Match')!,
-        'cache-control': request.headers.get('Cache-Control')!,
-      }, {
-        etag: binaryResponse.headers.get('ETag')!,
-        'last-modified': binaryResponse.headers.get('Last-Modified')!
-      })
-    ) {
-      return new WebResponse({ context: { httpStatusCode: 304 } });
+    if (ctx.config.cacheable && WebHeaderUtil.isFresh(request.headers, binaryResponse.headers)) {
+      // Remove length for the 304
+      binaryResponse.headers.delete('Content-Length');
+      return new WebResponse({
+        context: { ...response.context, httpStatusCode: 304 },
+        headers: binaryResponse.headers
+      });
     }
 
     return binaryResponse;

package/src/registry/controller.ts

@@ -50,6 +50,7 @@ class $ControllerRegistry extends MetadataRegistry<ControllerConfig, EndpointCon
       externalName: cls.name.replace(/(Controller|Web|Service)$/, ''),
       endpoints: [],
       contextParams: {},
+      responseHeaders: {}
     };
   }
 
@@ -68,7 +69,8 @@ class $ControllerRegistry extends MetadataRegistry<ControllerConfig, EndpointCon
       interceptorConfigs: [],
       name: endpoint.name,
       endpoint,
-      responseHeaderMap: new WebHeaders(),
+      responseHeaders: {},
+      finalizedResponseHeaders: new WebHeaders(),
       responseFinalizer: undefined
     };
 
@@ -199,7 +201,7 @@ class $ControllerRegistry extends MetadataRegistry<ControllerConfig, EndpointCon
    * @param src Root describable (controller, endpoint)
    * @param dest Target (controller, endpoint)
    */
-  mergeDescribable(src: Partial<ControllerConfig | EndpointConfig>, dest: Partial<ControllerConfig | EndpointConfig>): void {
+  mergeCommon(src: Partial<ControllerConfig | EndpointConfig>, dest: Partial<ControllerConfig | EndpointConfig>): void {
     dest.filters = [...(dest.filters ?? []), ...(src.filters ?? [])];
     dest.interceptorConfigs = [...(dest.interceptorConfigs ?? []), ...(src.interceptorConfigs ?? [])];
     dest.interceptorExclude = dest.interceptorExclude ?? src.interceptorExclude;
@@ -207,6 +209,7 @@ class $ControllerRegistry extends MetadataRegistry<ControllerConfig, EndpointCon
     dest.description = src.description || dest.description;
     dest.documented = src.documented ?? dest.documented;
     dest.responseHeaders = { ...src.responseHeaders, ...dest.responseHeaders };
+    dest.responseContext = { ...src.responseContext, ...dest.responseContext };
   }
 
   /**
@@ -231,7 +234,7 @@ class $ControllerRegistry extends MetadataRegistry<ControllerConfig, EndpointCon
       srcConf.path = `/${srcConf.path}`;
     }
 
-    this.mergeDescribable(config, srcConf);
+    this.mergeCommon(config, srcConf);
 
     return descriptor;
   }
@@ -252,7 +255,7 @@ class $ControllerRegistry extends MetadataRegistry<ControllerConfig, EndpointCon
     srcConf.contextParams = { ...srcConf.contextParams, ...config.contextParams };
 
 
-    this.mergeDescribable(config, srcConf);
+    this.mergeCommon(config, srcConf);
   }
 
   /**
@@ -266,7 +269,8 @@ class $ControllerRegistry extends MetadataRegistry<ControllerConfig, EndpointCon
       this.#endpointsById.set(ep.id, ep);
       // Store full path from base for use in other contexts
       ep.fullPath = `/${final.basePath}/${ep.path}`.replace(/[/]{1,4}/g, '/').replace(/(.)[/]$/, (_, a) => a);
-      ep.responseHeaderMap = new WebHeaders({ ...final.responseHeaders ?? {}, ...ep.responseHeaders ?? {} });
+      ep.finalizedResponseHeaders = new WebHeaders({ ...final.responseHeaders, ...ep.responseHeaders });
+      ep.responseContext = { ...final.responseContext, ...ep.responseContext };
     }
 
     if (this.has(final.basePath)) {