From a889db54a13729eee02ee7bb03489015ad333de4 Mon Sep 17 00:00:00 2001
From: Rob Stradling <rob@sectigo.com>
Date: Tue, 3 Jun 2025 16:34:31 +0100
Subject: [PATCH 1/2] Short cache max-age when get-entries returns fewer
 entries than requested

---
 trillian/ctfe/handlers.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/trillian/ctfe/handlers.go b/trillian/ctfe/handlers.go
index ef784cc8e3..fde2fd8c61 100644
--- a/trillian/ctfe/handlers.go
+++ b/trillian/ctfe/handlers.go
@@ -56,6 +56,8 @@ const (
 	cacheControlHeader = "Cache-Control"
 	// Value for Cache-Control header when response contains immutable data, i.e. entries or proofs. Allows the response to be cached for 1 day.
 	cacheControlImmutable = "public, max-age=86400"
+	// Value for Cache-Control header when response contains immutable but partial data, i.e. fewer entries than requested. Allows the response to be cached for 1 minute.
+	cacheControlPartial = "public, max-age=60"
 	// HTTP content type header
 	contentTypeHeader string = "Content-Type"
 	// MIME content type for JSON
@@ -802,7 +804,11 @@ func getEntries(ctx context.Context, li *logInfo, w http.ResponseWriter, r *http
 		return http.StatusInternalServerError, fmt.Errorf("failed to process leaves returned from backend: %s", err)
 	}
 
-	w.Header().Set(cacheControlHeader, cacheControlImmutable)
+	if len(rsp.Leaves) < int(count) {
+		w.Header().Set(cacheControlHeader, cacheControlPartial)
+	} else {
+		w.Header().Set(cacheControlHeader, cacheControlImmutable)
+	}
 	w.Header().Set(contentTypeHeader, contentTypeJSON)
 	jsonData, err := json.Marshal(&jsonRsp)
 	if err != nil {

From c6da303dec54ca9822802838be62b09d8c83e94f Mon Sep 17 00:00:00 2001
From: Rob Stradling <rob@sectigo.com>
Date: Wed, 4 Jun 2025 14:22:55 +0100
Subject: [PATCH 2/2] Update CHANGELOG.md

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ee7568d182..43aa589a5d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,7 @@
 * [ct_hammer] support HTTPS and Bearer token for Authentication.
 * [preloader] support Bearer token Authentication for non temporal logs.
 * [preloader] support end indexes
+* [CTFE] Short cache max-age when get-entries returns fewer entries than requested by @robstradling in https://github.com/google/certificate-transparency-go/pull/1707
 
 ### CTFE Storage Saving: Extra Data Issuance Chain Deduplication