Module responses uses paranoid max-age: 0, should be more liberal in production

Since module requests can-not contain a content checksum in the URL, they must be validated by the client frequently.

In development, a max-age of 0 makes sense; there is no cost to checking the module's current status (modules include E-Tag headers) and a stiff cost to having the wrong code running in the browser during development.

In production, the max-age of 0 causes a significant load on the origin server as even intermediate caches must pass a constant stream of requests through to the origin server for validation ... even for a user navigating from page to page within the application (rather than returning to the application hours or days later).

Having max-age (and the other values) be configurable in production would be ideal; a max-age of several minutes to an hour would likely result in virtually no client-side failures.