gnezim
f56bb97e68
ci-deploy / build-deploy-test (push) Failing after 1m11s
Run 546 surfaced the second half of the cache-poisoning bug. /api/health (which goes through the /api/ location, not /api/dictionary/) showed `x-cache-status: STALE` text/html — meaning nginx had cached the WAF HTML block page as a 200 entry, then served it via proxy_cache_use_stale when the upstream returned 403 on a fresh fetch. The browser saw text/html for an endpoint that should be JSON, console-gate flagged the fail, and 5+ specs broke despite /api/dictionary/* being healthy. Fix is the same one-liner already applied to /api/dictionary/: require $no_cache_html (set in flights-api-cache.conf based on upstream's Content-Type) so HTML responses are never stored. Future WAF spasms return 403 directly to the client instead of dispensing months-old poisoned HTML.