When running an audit in Chrome on a self-hosted bootstrap webapp, one suggestion it makes is to serve static content from a host that does not send cookies.
Any recommendations as to how one would add that to the built-in VFS ?
Cookies only get added if you add the SessionFeature plugin (which is also implicitly added by AuthFeature).
So if you don’t have those plugins registered. ServiceStack wont send any Cookies itself.
But I’m assuming the recommendation is to host the static files on a different domain to the one running the app (e.g. a CDN) since browsers by design resend cookies for any requests to that domain, so moving it to a different domain means they wont have any cookies to send to the new domain.
But SS Cookies are very small so this wont offer much of an improvement if that’s the only cookies you’re trying to save.
Yes the AuthFeature is enabled - hence my curiosity as to how it might be possible to host some files differently than others.
No worries, as you say, the overall size is not significant.
Note: it’s not the Server that sends Cookies, it’s the client, i.e. browsers automatically re-send cookies for a particular domain - this is why the recommendation is to move static files on a different domain to prevent the browsers from resending them (which is what they’re trying to save here).
The static files themselves aren’t adding any Cookies to the HTTP response, this is purely about saving cookies from being sent with the HTTP Request.
Gotcha. Thanks for clearing that up.