docs(cache): add Cache Response Rules documentation

Add new Cache Response Rules how-to section covering the
http_response_cache_settings phase, including:
- Overview and concept page with availability and troubleshooting
- Available settings reference (fields, operators, actions)
- API creation guide with examples for all three actions
- Dashboard creation guide
- Terraform example

Author: tkornhammar

src/content/docs/cache/concepts/cdn-cache-control.mdx

@@ -10,7 +10,9 @@ pcx_content_type: concept
 
 You have several options available to determine how `CDN-Cache-Control` directives interact with `Cache-Control` directives.
 
-An origin can:
+If a [Cache Response Rule](/cache/how-to/cache-response-rules/) sets `Cache-Control` directives using the `set_cache_control` action, those directives take precedence over any origin-set `Cloudflare-CDN-Cache-Control` and `CDN-Cache-Control` headers.
+
+When no Cache Response Rule applies, an origin can:
 
 * Return the `CDN-Cache-Control` response header which Cloudflare evaluates to make caching decisions. `Cache-Control`, if also returned by the origin, is proxied as is and does not affect caching decisions made by Cloudflare. Additionally, `CDN-Cache-Control` is proxied downstream in case there are other CDNs between Cloudflare and the browser.
 

src/content/docs/cache/how-to/cache-response-rules/create-api.mdx

@@ -0,0 +1,240 @@
+---
+title: Create a rule via API
+pcx_content_type: how-to
+sidebar:
+  order: 4
+head:
+  - tag: title
+    content: Create a Cache Response Rule via API
+---
+
+import { Details, APIRequest } from "~/components";
+
+Use the [Rulesets API](/ruleset-engine/rulesets-api/) to create a Cache Response Rule via API. To configure the Cloudflare API, refer to the [API documentation](/fundamentals/api/get-started/).
+
+## Basic rule settings
+
+When creating a Cache Response Rule via API, make sure you:
+
+- Set the rule action to one of the [available actions](/cache/how-to/cache-response-rules/settings/#available-actions).
+- Define the parameters in the `action_parameters` field according to the [settings](/cache/how-to/cache-response-rules/settings/) you wish to configure for matching responses.
+- Deploy the rule to the `http_response_cache_settings` phase entry point ruleset.
+
+## Procedure
+
+1. Use the [List zone rulesets](/api/resources/rulesets/methods/list/) method to check if a ruleset already exists for the `http_response_cache_settings` phase.
+2. If the phase ruleset does not exist, create it using the [Create a zone ruleset](/api/resources/rulesets/methods/create/) operation. In the new ruleset properties, set the following values:
+   - kind: `zone`
+   - phase: `http_response_cache_settings`
+3. Use the [Update a zone ruleset](/api/resources/rulesets/methods/update/) operation to add rules to the ruleset. Alternatively, include the rules in the [Create a zone ruleset](/api/resources/rulesets/methods/create/) request mentioned in the previous step.
+
+## Example requests
+
+These examples demonstrate all the available actions in Cache Response Rules using request and response matching criteria. Using these examples directly will cause any existing rules in the phase to be replaced.
+
+<Details header="Example: Strip response headers from JS files before caching">
+
+<APIRequest
+  path="/zones/{zone_id}/rulesets/phases/http_response_cache_settings/entrypoint"
+  method="PUT"
+  json={{
+    rules: [
+      {
+        expression: 'http.request.uri.path.extension eq "js"',
+        description: "Strip caching headers from JS files",
+        action: "set_cache_settings",
+        action_parameters: {
+          strip_etags: true,
+          strip_set_cookie: true,
+          strip_last_modified: true
+        }
+      }
+    ]
+  }}
+  roles={false}
+/>
+
+</Details>
+
+<Details header="Example: Set static cache tags on API responses">
+
+<APIRequest
+  path="/zones/{zone_id}/rulesets/phases/http_response_cache_settings/entrypoint"
+  method="PUT"
+  json={{
+    rules: [
+      {
+        expression: 'http.request.uri.path starts_with "/api/"',
+        description: "Tag API responses for targeted purging",
+        action: "set_cache_tags",
+        action_parameters: {
+          operation: "set",
+          values: ["api-response", "dynamic-content"]
+        }
+      }
+    ]
+  }}
+  roles={false}
+/>
+
+</Details>
+
+<Details header="Example: Add cache tags from a response header using an expression">
+
+<APIRequest
+  path="/zones/{zone_id}/rulesets/phases/http_response_cache_settings/entrypoint"
+  method="PUT"
+  json={{
+    rules: [
+      {
+        expression: 'any(http.response.headers.names[*] == "Surrogate-Keys")',
+        description: "Extract cache tags from alternative CDN response header",
+        action: "set_cache_tags",
+        action_parameters: {
+          operation: "add",
+          expression: 'split(http.response.headers["Surrogate-Keys"][0], ",", 1)'
+        }
+      }
+    ]
+  }}
+  roles={false}
+/>
+
+</Details>
+
+<Details header="Example: Override cache-control with max-age ">
+
+<APIRequest
+  path="/zones/{zone_id}/rulesets/phases/http_response_cache_settings/entrypoint"
+  method="PUT"
+  json={{
+    rules: [
+      {
+        expression: "http.response.code eq 200",
+        description: "Override cache-control for successful responses",
+        action: "set_cache_control",
+        action_parameters: {
+          "max-age": {
+            operation: "set",
+            value: 3600,
+            cloudflare_only: true
+          },
+        }
+      }
+    ]
+  }}
+  roles={false}
+/>
+
+</Details>
+
+<Details header="Example: Set private directive with qualifiers">
+
+<APIRequest
+  path="/zones/{zone_id}/rulesets/phases/http_response_cache_settings/entrypoint"
+  method="PUT"
+  json={{
+    rules: [
+      {
+        expression: 'http.request.uri.path starts_with "/user/"',
+        description: "Mark user content as private",
+        action: "set_cache_control",
+        action_parameters: {
+          "private": {
+            operation: "set",
+            qualifiers: ["X-User-Id", "X-Session-Token"]
+          },
+          "no-cache": {
+            operation: "set"
+          }
+        }
+      }
+    ]
+  }}
+  roles={false}
+/>
+
+</Details>
+
+<Details header="Example: Set immutable for static font assets">
+
+<APIRequest
+  path="/zones/{zone_id}/rulesets/phases/http_response_cache_settings/entrypoint"
+  method="PUT"
+  json={{
+    rules: [
+      {
+        expression: 'http.request.uri.path.extension in {"woff2" "woff" "ttf"}',
+        description: "Mark fonts as immutable",
+        action: "set_cache_control",
+        action_parameters: {
+          "immutable": {
+            operation: "set"
+          },
+          "max-age": {
+            operation: "set",
+            value: 31536000
+          }
+        }
+      }
+    ]
+  }}
+  roles={false}
+/>
+
+</Details>
+
+<Details header="Example: Multiple rules — strip headers, tag responses, and set cache control">
+
+<APIRequest
+  path="/zones/{zone_id}/rulesets/phases/http_response_cache_settings/entrypoint"
+  method="PUT"
+  json={{
+    rules: [
+      {
+        expression: 'http.response.code eq 200 and http.request.uri.path.extension eq "html"',
+        description: "Strip tracking headers from HTML responses",
+        action: "set_cache_settings",
+        action_parameters: {
+          strip_etags: true,
+          strip_set_cookie: true
+        }
+      },
+      {
+        expression: 'http.request.uri.path starts_with "/products/"',
+        description: "Tag product pages for purging",
+        action: "set_cache_tags",
+        action_parameters: {
+          operation: "add",
+          values: ["product-catalog", "storefront"]
+        }
+      },
+      {
+        expression: "http.response.code eq 200",
+        description: "Set cache control for all 200 responses",
+        action: "set_cache_control",
+        action_parameters: {
+          "s-maxage": {
+            operation: "set",
+            value: 86400,
+            cloudflare_only: true
+          },
+          "must-revalidate": {
+            operation: "set"
+          }
+        }
+      }
+    ]
+  }}
+  roles={false}
+/>
+
+</Details>
+
+## Required API token permissions
+
+The API token used in API requests to manage Cache Response Rules must have the following permissions:
+
+- *Zone* > *Cache Rules* > *Edit*
+- *Account Rulesets* > *Edit*
+- *Account Filter Lists* > *Edit*

src/content/docs/cache/how-to/cache-response-rules/create-dashboard.mdx

@@ -0,0 +1,33 @@
+---
+pcx_content_type: how-to
+title: Create a rule in the dashboard
+sidebar:
+  order: 3
+head:
+  - tag: title
+    content: Create a Cache Response Rule in the dashboard
+---
+
+import { Render, DashButton } from "~/components";
+
+1. In the Cloudflare dashboard, go to **Cache** > **Cache Rules**.
+
+   <DashButton url="/?to=/:account/:zone/caching/cache-rules" />
+
+2. Select the **Cache Response Rules** tab.
+3. Select **Create rule**.
+
+4. Enter a descriptive name for the rule in **Rule name**.
+5. Under **When incoming requests match**, select **All incoming requests** if you want the rule to apply to all traffic or **Custom filter expression** if you want the rule to only apply to traffic matching the custom expression.
+6. If you selected **Custom filter expression**, define the [rule expression](/ruleset-engine/rules-language/expressions/edit-expressions/#expression-builder). Use the **Field** drop-down list to choose an HTTP property and select an **Operator**. Both request fields (such as URI path or hostname) and response fields (such as response status code or response headers) are available for matching. Refer to [Available settings](/cache/how-to/cache-response-rules/settings/) for the full list of available fields and operators.
+
+   :::note
+   Rules can be further customized by using the **Edit expression** option. You can find more information in [Edit expressions in the dashboard](/ruleset-engine/rules-language/expressions/edit-expressions/).
+   :::
+
+7. Following the selection of the field and operator, enter the corresponding value that will trigger the Cache Response Rule. For example, if the selected field is `Hostname` and the operator is `equals`, a value of `example.com` would mean the rule matches any request to that hostname.
+8. Under **Then**, select the action you want to apply. Refer to [Available settings](/cache/how-to/cache-response-rules/settings/#available-actions) for the list of available actions and their parameters.
+9. Under **Place at**, from the dropdown, you can select the order of your rule. From the main page, you can also change the order of the rules you have created.
+10. To save and deploy your rule, select **Deploy**. If you are not ready to deploy your rule, select **Save as Draft**.
+
+   <Render file="rules-creation-dash-dns-popup" product="rules" />

src/content/docs/cache/how-to/cache-response-rules/index.mdx

@@ -0,0 +1,64 @@
+---
+title: Cache Response Rules
+pcx_content_type: concept
+sidebar:
+  order: 2
+---
+
+import { FeatureTable, InlineBadge, Render } from "~/components";
+
+Cache Response Rules allow you to configure cache settings based on request and response attributes. These rules execute prior to caching in the in the `http_response_cache_settings` phase, which runs after Cloudflare receives the origin response.
+
+With Cache Response Rules you can:
+
+- Strip specific headers (ETags, Set-Cookie, Last-Modified) from origin responses before caching.
+- Add, remove, or set cache tags on responses for targeted [cache purging](/cache/how-to/purge-cache/).
+- Set the Cache-Control header directives for the origin response.
+
+Cache Response Rules apply to both cached and non-cached (dynamic) responses from the origin. For example, you can strip Set-Cookie headers from responses that are not eligible for caching.
+
+Cache Response Rules can be created in the [dashboard](/cache/how-to/cache-response-rules/create-dashboard/), via [API](/cache/how-to/cache-response-rules/create-api/), or [Terraform](/cache/how-to/cache-response-rules/terraform-example/).
+
+:::note
+
+Cache Response Rules require that you [proxy the DNS records](/dns/proxy-status/) of your domain (or subdomain) through Cloudflare.
+
+:::
+
+## Availability
+
+The following table describes Cache Response Rules availability per plan.
+
+<FeatureTable id="cache.cache_rules" />
+
+<Render
+	file="troubleshoot-rules-with-trace"
+	product="rules"
+	params={{ rulesFeatureName: "Cache Response Rules" }}
+/>
+
+## Relationship with Cache Rules
+
+Cache Response Rules operate on the origin response, while [Cache Rules](/cache/how-to/cache-rules/) operate on the incoming request. When settings from both rule types conflict, Cache Response Rules take precedence.
+
+Key differences:
+
+- **Cache eligibility** ΓÇö Cache Rules remain the only mechanism to decide whether content is eligible for caching. However, Cache Response Rules can make a cacheable asset non-cacheable by setting the `no-store` directive using the `set_cache_control` action.
+- **Origin Cache Control (OCC)** ΓÇö If any rule in the `http_response_cache_settings` phase matches, Cloudflare defaults to Origin Cache Control behavior (`origin_cache_control = true`).
+- **CDN-Cache-Control precedence** ΓÇö `Cache-Control` directives set by Cache Response Rules take precedence over origin-set `Cloudflare-CDN-Cache-Control` and `CDN-Cache-Control` headers. For more information, refer to [CDN-Cache-Control header precedence](/cache/concepts/cdn-cache-control/#header-precedence).
+- **Stacking** ΓÇö Cache Response Rules stack the same way as Cache Rules. When multiple rules specify the same setting, the last matching rule wins.
+
+### Example: OCC precedence over Edge TTL
+
+Consider the following scenario:
+
+1. A Cache Rule sets **Edge TTL** to `override_origin` with a value of `7200` seconds (2 hours).
+2. A Cache Response Rule uses `set_cache_control` to set `s-maxage` to `3600` seconds (1 hour) with `cloudflare_only` enabled.
+3. The origin responds with `Cache-Control: s-maxage=600`.
+
+In this case, the Cache Response Rule takes precedence. Cloudflare caches the asset for `3600` seconds (1 hour) based on the `s-maxage` directive set by the Cache Response Rule, while visitors still receive the original `s-maxage=600` from the origin because `cloudflare_only` is enabled.
+
+## Notes
+
+- If you strip last modified then Smart Edge Revalidation will be turned off.
+- Cache Response Rules ignore HTTP Response 1xx as it is treated as informational responses.