cebertMar 31

Incident March 30th, 2026 – Accidental CDN Caching

https://blog.railway.com/p/incident-report-march-30-2026-accidental-cdn-caching

Incident Report: March 30th, 2026 — Authenticated user data cached

Railway experienced an incident where CDN features were accidentally enabled for some domains without users enabling them.

Railway Blog
Show threadstingraycharlesMar 31

This write up doesn’t make sense. Authenticated users are the ones without a Set-Cookie? Surely the ones with the cookie set are the authenticated ones?

There are dozens of contradictions, like first they say:

“this may have resulted in potentially authenticated data being served to unauthenticated users”

and then just a few sentences later say

“potentially unauthenticated data is served to authenticated users”

which is the opposite. Which one is it?

Am I missing something, or is this article poorly reviewed?

Show threadjustjakeMar 31
Fixed the typo in that second paragraph and aligned the section on the Set-Cookie stuff. Anything else that can be made more clear?
Show threadDrewADesign

It appears that your company experienced an incident during which a blog entry was made available in which readers became informed about certain information about a server condition that resulted in certain users receiving a barrage of indirect clauses etc. etc. etc.

Be more direct. Be concise. This blog post sounds like a cagey customer service CYA response. It defeats the purpose of publishing a blog post showing that you’re mature, aware, accountable, and transparent.

Mar 31 at 3:43amWeb