On 14 Feb 2011, at 2:15 AM, Paul Querna wrote:
It does a single request to the backend, but doesn't _invalidate_ the existing cache, which would cause a flood of other, non-attacker clients to come in.
I think that would be the origin of Roy saying that we should only invalidate if the result is 2xx. Someone trying methods in the hope they would do something would get a 405 Method Not Supported.
Regards, Graham --
