Cache Probing
Cache Probing exploits the gap between representation-aware protocol semantics and bare resource lookup.
Definition
Cache Probing exploits the gap between representation-aware protocol semantics and bare resource lookup. RFC 9110 defines a class of responses — conditional responses (304), precondition failures (412), partial content (206), range rejections (416), and negotiation failures (406) — that presuppose the server has resolved the target resource and evaluated its state, representation, or negotiation dimensions before responding.
A nonexistent resource never reaches these evaluation paths. It terminates at 404 Not Found before the server enters conditional, range, or negotiation logic. The differential between a representation-aware response and a lookup failure is the oracle.
Unlike Status Code Differentials, which observe any status code divergence across resource IDs, Cache Probing vectors are grounded in specific RFC 9110 mechanisms where the protocol requires or permits the server to evaluate target state before generating the response. The signal is not "cache behavior" in the deployment sense — it is that the server advanced into representation-level evaluation rather than stopping at resource lookup.
Why It Matters
Each Cache Probing vector carries a built-in proof of evaluation depth:
- 304 means the server evaluated a validator against the selected representation and found it matched — a conditional retrieval that would have produced 200 if the condition were false.
- 412 means the server tested one or more preconditions against target state and found them false — state-aware evaluation, not mere lookup.
- 206 means the server successfully fulfilled a range request against the selected representation — partial transfer of a resource that exists.
- 416 means the server evaluated a range against the selected representation and rejected it as unsatisfiable — the resource was found, but the range was invalid for its size.
- 406 means the server treated the target as a resource with candidate representations and found none acceptable under the request's negotiation constraints.
In every case, 404 is the contrast: the server did not find a current representation for the target resource, or is not willing to disclose that one exists. The evaluation-depth gap between these responses and 404 is what makes Cache Probing a reliable oracle class.
How It Works
The general pattern across all Cache Probing vectors:
- Client sends a request that triggers representation-aware evaluation — conditional headers (
If-None-Match,If-Match,If-Modified-Since,If-Unmodified-Since), range headers (Range), or negotiation headers (Accept,Accept-Language). - Existing target: Server resolves the resource, identifies the selected representation (or candidate representations), evaluates the request against that state, and returns a representation-aware response (304, 412, 206, 416, or 406).
- Nonexistent target: Server fails at resource lookup and returns 404 before reaching any evaluation path.
The oracle is the status code split. The server cannot produce a representation-aware response without first resolving the target — so any non-404 response from the evaluation path confirms existence.
Vectors
304 vs 404 — Conditional Retrieval
Conditional GET/HEAD reaches validator evaluation for existing targets.
412 vs 404 — Precondition Failure
Precondition headers reach state evaluation for existing targets.
206 vs 404 — Range Fulfillment
Satisfiable range requests reach range evaluation for existing targets.
416 vs 404 — Range Rejection
Unsatisfiable range requests reach range rejection for existing targets.
406 vs 404 — Negotiation Failure
Unsatisfiable negotiation headers reach negotiation evaluation for existing targets.
Method Applicability
| Vector | GET | HEAD | Other Methods |
|---|---|---|---|
| 304 vs 404 | Full (canonical) | Full | N/A — false If-None-Match on other methods yields 412, not 304 |
| 412 vs 404 | Via If-Match / If-Unmodified-Since | Same as GET | Strongest — false If-None-Match has MUST-level 412 |
| 206 vs 404 | Full (canonical) | N/A | N/A — range handling defined only for GET |
| 416 vs 404 | Full (canonical) | N/A | N/A — range handling defined only for GET |
| 406 vs 404 | Full (canonical) | Applicable | Reachable — negotiation applies to any response content |
Scope & Boundaries
What Cache Probing proves:
- The server resolved the target resource before generating the response
- The server entered representation-aware evaluation (conditional, range, or negotiation) rather than stopping at lookup
- The status code differential between evaluation-path responses and 404 confirms existence
What Cache Probing does not prove:
- It does not prove the representation is accessible to the requester in a normal retrieval path
- It does not prove the resource is cacheable in any deployment sense
- It does not distinguish origin-server evaluation from compliant intermediary evaluation
- It does not defeat RFC-sanctioned 404 normalization where the server intentionally hides existence
- 404 is semantically overloaded — per RFC 9110, it can mean either absence or intentional non-disclosure
- Absence of a representation-aware response does not prove absence of the oracle — servers MAY ignore conditional, range, or negotiation headers
Normative strength varies across vectors:
- Strongest: 304 via
If-None-Match(MUST) and 412 viaIf-None-Matchon non-GET/HEAD (MUST) - Moderate: 304 via
If-Modified-Since(SHOULD), 206 and 416 viaRange(SHOULD) - Weakest: 406 via proactive negotiation (permitted, not mandated)
Elicitation Techniques
Validator Elicitation
Conditional request headers that force representation evaluation paths.
Precondition Elicitation
State-protection conditional headers that force precondition evaluation paths.
Range Elicitation
Range request headers that force representation-aware evaluation.
Negotiation Elicitation
Proactive negotiation headers that force representation-selection paths.
Method Contexts
How each HTTP method carries elicitation techniques.
Forcing 412 Precondition Failed
Per RFC 9110 §13.1.1, if the If-Match value doesn't match any current representation's ETag, the server MUST return 412.
304 vs 404 — Conditional Retrieval
A conditional GET or HEAD using If-None-Match or If-Modified-Since reaches validator evaluation for an existing target.