Once the certificate is cached, requests can pass validation even if they shouldn't.
Probable solution: cache key should be an MD5 of all relevant parameters, not just the URL

caching by URL is actually fine. Tweaks incoming