The Power of ESI Nonce
Nonces are a major cause of headaches for site owners who wish to cache their content. Expiring nonces are often responsible for quirky behavior, including broken forms and 403 errors. Usually the solution is to consider any page with a nonce to be uncacheable. And sometimes it is recommended to set the entire site TTL to be the same as a nonce’s: twelve hours. These solutions are not ideal.
With LiteSpeed’s ESI Nonce functionality you can fully cache WordPress nonces and the pages they belong to. It’s a powerful tool that can make nonce-related headaches a thing of the past.
What is a Nonce in WordPress?
The word “nonce” is derived from the phrase “number used once,” although that’s not an entirely accurate way of describing them. Nonces are not really numbers, nor are they used only once. They’re actually a hash made up of numbers and letters, and they can be used multiple times within their limited lifetimes.
Nonces make certain WordPress activities more secure. A nonce is generated for a particular user, and only that user is allowed access to it. After the nonce expires, it can no longer be used by anyone.
Nonces can be applied to all sorts of things, like form submissions and post previews.
You can learn more about nonces in the WordPress Codex.
What is ESI in LSCache?
ESI is short for “edge side includes” and it refers to a feature that allows you to cache mixed content on a single page. Most frequently, ESI is used to “punch holes” in a public page and insert private content into those holes. But ESI can actually be used in any situation where some content must be cached using different parameters than the rest of the page. This includes situations where content expiration times differ.
You can learn more about LiteSpeed’s ESI implementation in this blog article.
Why Combine Nonces and ESI?
When a site is cached, the pages on the site have a set time to live (or, TTL). After that TTL passes, the page expires in the cache. Sites often set a long TTL, in order to minimize the amount of uncached content a user will encounter.
Nonces, on the other hand, have a relatively short TTL, usually twelve hours. As such, they often expire before the rest of the content on the site. This can be problematic for the pages that use them. Plugins that provide form functionality, in particular, are subject to nonce-related cache conflicts. Without ESI, pages generated by these plugins must be considered uncacheable.
By converting a nonce to an ESI block, you allow the nonce to expire independently of the site TTL, all while maintaining security, and avoiding cache conflicts. Pages that were once considered uncacheable can now be sped up with the rest of the site.
How to Use LSCache’s ESI Nonce Feature
If you know the name of the nonce that you wish to turn into an ESI block, LiteSpeed Cache makes it possible to do so with a few clicks.
Navigate to LiteSpeed Cache > Cache > ESI and locate the ESI Nonce field. Here you can list nonces, one per line, that should automatically be converted to ESI blocks.
Wildcards are accepted, which is helpful if you are using a plugin that defines a lot of nonces with the same prefix or suffix. For example, if My WordPress Plugin had three nonces called
mwpp_3, you could enter
mwpp_* and all three nonces would become ESI blocks.
ESI Nonces are public by default, but you can define them to be private by added a space and the word “private” after the nonce name, like so:
LiteSpeed has predefined the following nonces as ESI blocks, so you don’t need to set them up manually:
Divi Theme Builder
WooCommerce PayPal Checkout
Additionally, LiteSpeed has recently begun maintaining an editable list of known third party plugin nonces here. Press the Fetch Latest Predefined Nonce button, and the nonces from the list will be automatically appended to the nonces you have already listed in the ESI Nonce box. This allows you to easily convert every nonce on the list into ESI blocks. If you have a nonce that you would like to be included in this list, and you are familiar with GitHub, you can add the nonce to our list yourself and submit a Pull Request.
If you don’t know the name of the nonce(s) your plugin uses, try asking the plugin author. You should also suggest they add their nonces to our predefined list.
After entering your nonces in the ESI Nonce field (whether manually or with the button), save your changes and purge the cache (LiteSpeed Cache > Toolbox > Purge > Purge All LSCache). ESI Nonces will be cached for 12 hours and then expire, regardless of the TTL used by the rest of your site.
What About OpenLiteSpeed?
If you are an OpenLiteSpeed user, you probably know that OLS does not support ESI. And so, naturally, OLS does not support ESI Nonces.
OpenLiteSpeed users who want ESI Nonce functionality should look into QUIC.cloud. QUIC.cloud gives you the full functionality of the LiteSpeed Cache for WordPress plugin, including ESI Nonce. Check out QUIC.cloud for more details.
There is another option, which is less ideal than ESI, but still effective. Nonces have a 12 hour TTL, so as long as the pages they appear on also have a 12-hour-or-less TTL, the nonces will still work. You can set the TTL for your entire site, or you can do it just for the pages with nonces.
To change the site TTL, navigate to LiteSpeed Cache > Cache > TTL, and set Default Public Cache TTL to
43200 seconds or less.
To change the TTL for specific pages instead, navigate to LiteSpeed Cache > Cache, and add the page URIs, one-per line, to the Force Cache URIs box. After each page add a space and
43200. For example, you can have the following pages and TTLs listed:
/blog/contact 43200 /store/request-a-catalog 43200
Nonces are used by many plugins and by the WordPress core itself. A cached site is a fast site. And by treating these nonces with a different set of cache rules than the pages they appear on, your site can remain more fully and accurately cached.
If you’d like to try LiteSpeed Cache, drop by our website to learn how to get started!