Problem Statement
Xano automatically appends a Set-Cookie: XNS=...; Path=/socket/; Secure; HttpOnly; SameSite=Strict header to every API response โ including read-only, public endpoints with no authentication or Realtime features enabled. This header cannot be removed using Xano's built-in HTTP Header function step, as it is injected at the infrastructure level after the function stack runs.
This causes a critical caching problem: most CDNs (e.g., Cloudflare, Fastly, AWS CloudFront) will not cache any response that contains a Set-Cookie header, since cookies are typically user-specific. As a result, even endpoints with response caching enabled in Xano cannot benefit from CDN-level caching. This defeats the purpose of using a CDN and puts unnecessary load on the Xano instance for every request.
Proposed Solution
Please provide one or more of the following options:
A workspace-level toggle to disable the XNS cookie on workspaces that do not use the Realtime feature.
2. A way to suppress or strip the Set-Cookie header on specific API endpoints via the HTTP Header function step.
3. At minimum, official documentation clarifying whether this behavior is intentional or a bug, so users can plan their infrastructure accordingly.