So we have a Next.js (https://nextjs.org/) and in front of it sits an Azure CDN service.
In the past, I have shot myself in the foot by assuming that the Azure CDN service will follow the cache-control instructions from the origin server, and not cache anything unless it is told to. I accidentally cached my credentials at the CDN, meaning anyone logging in used my credentials on our site. More info on this here: https://github.com/vercel/next.js/discussions/14136, but in short, the main problem was that the origin (Next.js) server sent a request through the CDN WITHOUT a cache-control header, but Azure CDN decided to cache it anyway.
This is a past problem that I resolved by creating a rule in the rules engine, that tells the CDN to bypass caching for any request under a certain path. (/api https://nextjs.org/docs/api-routes/introduction).
In my opinion, this is flawed default behavior of the CDN service, and there should be a configurable option to tell the CDN service "if cache-control headers are present in the origin response, use them. if not, just forward the response".
The CDN should be configurable to not make assumptions on what should and should not be cached but strictly follow cache-control header instruction by the origin server. As far as I can tell, it is currently not possible to act upon a response from the origin server in the rules engine, you can only respond to incoming requests from the user.
Am I missing something?

