On March 30, 2026, a configuration deployment at Railway—a popular Platform-as-a-Service—accidentally enabled CDN caching for domains that had it explicitly disabled. For 52 minutes, authenticated responses were cached and served to the wrong users.
User-specific account information. Dashboard state. Anti-forgery tokens. Project metadata. All potentially served from a shared cache to whoever happened to request the same URL next.
Railway estimates 0.05% of domains with CDN disabled were affected. The incident was caught within 32 minutes, rolled back within 52, and the disclosure was prompt and transparent. Credit where it's due—that's a better response than most.
But the incident raises a question every team running production workloads should be asking: what happens when your platform makes a mistake you can't control?
What Actually Happened
At 10:42 UTC, a Railway engineer deployed a configuration change to their CDN provider. The change inadvertently shifted a subset of non-CDN domains into caching behavior.
The technical mechanism matters, because it catches developers off guard:
Most GET responses that lack explicit cache-control directives became shared-cache eligible. The presence of Set-Cookie headers didn't prevent this—per RFC 9111, the absence of Set-Cookie doesn't inhibit caching. Response bodies can be cached and reused across users independently of cookie handling.
This is a misconception worth correcting: authentication does not automatically prevent caching. Unless your application explicitly sends Cache-Control: private or no-store, a shared cache is technically allowed to serve your response to someone else. Most of the time this doesn't matter because the infrastructure respects your intent. Until one deployment changes that assumption.
Timeline:
- 10:42 UTC — Configuration deployment goes live
- 11:14 UTC — Railway identifies the issue via internal monitoring and user reports
- 11:34 UTC — Rollback complete, global cache purge executed
The Real Lesson Isn't "Don't Use PaaS"
Let's be clear about something: PaaS is the right model for most teams. Git push deploys, managed databases, automatic scaling, zero server management. The developer experience gains are real and significant. Nobody should go back to managing servers manually.
The lesson from Railway's incident is narrower and more specific: on a shared multi-tenant platform, someone else's deployment pipeline can affect your application. Railway's engineer wasn't touching your project. They were updating CDN provider settings for the platform. Your application was collateral.
This is the tradeoff of shared PaaS. You get incredible convenience, but you share infrastructure with every other customer on the platform. Their traffic patterns affect your performance. Their abuse reports can trigger platform-wide policy changes. And occasionally—as we saw this week—a platform-level configuration change can expose your users' data.
Railway isn't uniquely vulnerable here. This is a structural property of shared platforms:
- Heroku's OAuth token theft (2022) — compromised tokens across thousands of applications from a platform-level breach
- Netlify's cache poisoning — user-specific content served from shared cache due to platform configuration
- Various edge runtime incidents where shared execution environments leaked state between tenants
These aren't arguments against PaaS. They're arguments for owning the PaaS yourself.
Want the PaaS experience without the shared-tenancy risk? NuPaaS gives you your own platform—git push deploys, managed databases, automatic scaling—running on infrastructure you control. No shared CDN. No other tenants. Your stack, your rules.
What "Owning Your Stack" Actually Means
The old version of this argument was: "you need to run your own servers." That meant hiring ops engineers, managing bare metal, being on-call at 3 AM. Understandably, most teams chose shared PaaS instead and accepted the tradeoff.
That tradeoff no longer exists.
Modern self-hosted PaaS platforms give you everything you love about Railway, Heroku, or Render—but running on your own infrastructure, managed by your own team (or ours), under your own control.
The developer experience is the same:
- Git push deploys — push to main, your app updates
- Managed databases — provisioned, backed up, scaled automatically
- Automatic scaling — handle traffic spikes without manual intervention
- Environment management — staging, production, preview environments
- Zero server management — the platform handles the infrastructure layer
The difference is what sits beneath:
Your CDN configuration. When cache rules change, it's because your team changed them. Nobody else's deployment can affect your caching behavior.
Your network isolation. Your applications aren't sharing load balancers, edge proxies, or TLS termination with thousands of other tenants. A noisy neighbor can't degrade your performance. A platform-wide incident can't expose your data.
Your deployment pipeline. When a configuration ships, it went through your review process, your staging environment, your approval workflow. No surprises from platform engineers you've never met.
Your jurisdiction. For European businesses, this matters more than ever. Your data lives where you decide, governed by the laws you choose, operated by a team accountable to you.
This isn't going backwards. It's taking the best part of PaaS—the developer experience—and removing the part that creates incidents like Railway's: shared infrastructure you can't control.
The GDPR Angle European Businesses Can't Ignore
For teams serving EU users, the Railway incident has a specific regulatory dimension.
Railway is a US company. Their infrastructure runs on US cloud providers. When authenticated European user data was cached and served to wrong recipients, that's a personal data breach under GDPR Article 4(12)—unauthorized disclosure of personal data.
Under GDPR, you—the data controller—are responsible for breach notification, not your platform provider. Railway sends an apology email. You file the supervisory authority notification within 72 hours. You notify affected users. You bear the reputational and regulatory consequence.
This is the compliance reality of shared infrastructure: you inherit the consequences of your platform's failures. Your data processing agreement might define responsibilities on paper, but the regulator's first call is to you.
With infrastructure you own, the equation changes. You control the configuration that caused this incident. You control the CDN rules, the caching behavior, the deployment pipeline. If something goes wrong, it's something you can investigate, fix, and prevent—because you have full access to the stack.
For businesses subject to GDPR, the EU AI Act, NIS2, or DORA, owning your infrastructure isn't just a technical preference. It's a compliance posture.
European business running on US-operated platforms? NuPaaS is built for EU data sovereignty—European infrastructure, European operations, European jurisdiction. Full PaaS convenience with full regulatory control.
Protect Yourself Today, Regardless of Platform
Whether you're on Railway, Heroku, Vercel, or your own infrastructure—this incident is a reminder to get your cache headers right. This is something every team should audit today:
Set Explicit Cache-Control on Authenticated Responses
Cache-Control: private, no-store, no-cache, must-revalidateCache-Control: private, no-store, no-cache, must-revalidateSet this on every authenticated response. Not just the ones you think are sensitive—all of them. It costs nothing in performance for responses that are user-specific anyway, and it's the only reliable defense against shared-cache leaks regardless of what your platform does.
Many frameworks optimize for performance by default, not security. Express, Next.js, and Rails all have different default caching behaviors—and none of them default to "never cache authenticated content."
Quick Audit in 60 Seconds
- Log in to your application
- Open browser DevTools → Network tab
- Click through authenticated pages
- Check the
Cache-Controlheader on each response
If you see public, max-age with a value greater than zero, or no Cache-Control header at all—fix it before anything else.
Test for Cross-User Cache Leaks
Log in as User A. Copy a request URL for an authenticated page. Log in as User B in a different browser. Hit the same URL. If User B sees User A's content, you have a problem. Do this regularly, not just once.
Review Your Platform's Infrastructure Surface
Understand what your PaaS manages on your behalf: CDN, edge caching, TLS termination, DNS, load balancing. Each of these is a surface where a platform misconfiguration can affect your application. Know what you're trusting them with—and decide if you'd rather own it.
The PaaS model isn't the problem. Not owning your stack is. NuPaaS gives European teams the deployment experience they love with the infrastructure control they need. Your platform. Your data. Your rules.