How CDNs Work
| Item | Description |
|---|
Edge servers (PoPs) | Distributed servers near end users — serve cached content locally |
Origin server | Your actual server — CDN fetches from here on cache miss |
Cache hit | Content served from edge (fast — sub-10ms for static) |
Cache miss | Edge fetches from origin, caches result, serves to user |
Time To Live (TTL) | How long content stays cached (Cache-Control: max-age header) |
Origin shield | Extra cache layer between edge and origin — reduces origin load |
Cache Control Headers
| Item | Description |
|---|
Cache-Control: max-age=3600 | Cache for 1 hour (browser + CDN) |
Cache-Control: s-maxage=86400 | Override max-age for shared caches ONLY (CDN) |
Cache-Control: public | Allow caching by CDN and browsers |
Cache-Control: private | Browser-only caching (NOT CDN) — user-specific content |
Cache-Control: no-store | Never cache anywhere (banking, sensitive data) |
Surrogate-Control: max-age=600 | CDN-specific TTL (Fastly/Akamai) |
ETag / If-None-Match | Conditional request — only send body if changed (304) |
Cache Invalidation & Purging
| Item | Description |
|---|
Purge by URL | Purge a specific URL from all edge caches |
Purge by prefix | Purge all URLs matching /images/* (wildcard purge) |
Surrogate keys | Tag content with keys; purge all tagged content at once |
Soft purge | Mark as stale — serve stale while revalidating (stale-while-revalidate) |
Instant purge | Immediate removal (Cloudflare, Fastly — under 1 second) |
Versioned URLs | Rename assets (app.v2.js) — no purge needed, new URL = cache miss |
CDN Security Features
| Item | Description |
|---|
DDoS protection | Absorb volumetric attacks at edge (Cloudflare, Akamai) |
WAF | Web Application Firewall — block SQLi, XSS at edge |
Bot management | Detect and block malicious bots, allow good bots |
Token authentication | Signed URLs/expiring tokens for protected content |
Origin IP hiding | Only CDN IPs visible — origin stays hidden from attackers |
Pro Tip: Set long Cache-Control max-age for versioned assets (app.abc123.js). Use surrogate keys for granular cache invalidation across many URLs at once.