Strategy documentation should show "hitpass: false" by default

[molund]

We ran into a very tricky debugging scenario where:

a. hitpass wasn't set in our configuration
b. We had cookies in our requests because we had been using the same browsers to access the Strapi admin site

The result was that the cache appeared to be invalidating properly when tested from the browser, but actually the browser was bypassing the cache due to the default hitpass setting, which returns true if there is a cookie in the request:

function hitpass(ctx) {
  // ignore cache when authorization or cookie headers are present
  return Boolean(
    ctx.request.headers.authorization || ctx.request.headers.cookie
  );
}

The default hitpass behaviour also made it very difficult to confirm that Redis was working locally because I mistakenly used the browser with a cookie to call the rest api as part of my test.

Changing the default behaviour would be a breaking change, so I am suggesting changing all the examples in the documentation instead so they include hitpass: false.

e.g.
hitpass: false, // remove this setting to bypass the cache if authorization or cookie headers are present