The max-age directive applies to every cache (browser and reverse proxy) whereas s-maxage applies only to shared cache (reverse proxy).
This is usually not a problem when using a reverse proxy like Varnish because you can remove the max-age from the response before the browser gets it.
However if for some reason, the response header is not altered before the browser receives it, it will get the max-age directive and will keep the page in its cache for up to a year.
This a problem because then there is no way for the server to invalidate the browser cache.
(I'm assuming that people usually use a long cache duration with this module, because the page will be invalidated with cache tags when it changes.)
We have this configuration in system.performance:
cache:
page:
max_age: 31536000
When deploying our website on a server with Varnish, it works fine.
But if for some reason, the Varnish config decides to let the response pass directly to the browser return(pass), the browser will cache it for a year, which is usually not what we want.
IMHO this module should return max-age=0, s-maxage=31536000 for permanently cacheable pages.
This way, it would make it explicit that the request must be cached by shared caches but not by the browser.
Needs review
2.0
Code
I submitted a MR that makes the module always use s-max-age.
But I guess this would be considered a breaking change and would need to be behind a specific setting?