CDN Setup — Serve Your Content from the Edge Without the Configuration Pain

Every CDN provider gives you a "quick start" setup that caches everything based on URL and serves it until the TTL expires. This works for a brochure website. It breaks spectacularly for modern web applications with API routes, authenticated content, dynamic images, and server-rendered pages.

Common failure modes: API responses cached and served to the wrong user (because the CDN ignored the Authorization header), stale HTML served after a deployment (because cache invalidation was not wired into the deploy pipeline), images served at full resolution on mobile (because no image optimization was configured), and CORS errors on API calls (because the CDN stripped or cached Access-Control-Allow-Origin headers incorrectly).

The fix is not "disable caching." The fix is a cache policy that understands your application. Static assets (.js, .css, images with content hashes) should be cached for a year. HTML should be cached briefly or revalidated on every request. API responses should not be cached at all, or cached with Vary headers that partition by authorization state. We configure these policies per path pattern so the CDN does what you actually need.

We have deployed CDN configurations for Next.js, React SPAs, API backends, image-heavy platforms, and video streaming services. Each has different caching requirements, and we tailor the configuration accordingly.

CloudFront: We configure distributions with multiple origins (S3 for static assets, ALB for API), cache behaviors per path pattern, and origin request policies that forward only the headers your backend needs. Cache policies use CachingOptimized for static assets and CachingDisabled for API routes. We set up Lambda@Edge or CloudFront Functions for header manipulation, URL rewriting, A/B testing, and authentication at the edge. All configuration is managed via Terraform for reproducibility.

Cloudflare: We configure DNS, SSL mode (Full Strict), page rules or cache rules for path-specific caching, and firewall rules for bot protection. Cloudflare Workers handle edge logic — geolocation-based routing, request modification, and custom caching. We set up Argo Smart Routing for faster origin pulls and Tiered Caching to reduce origin load.

Cache Invalidation: We wire cache invalidation into your deployment pipeline. On deploy, the pipeline creates a CloudFront invalidation for changed paths or purges Cloudflare's cache for updated URLs. For applications using content hashes in asset filenames (which they should), only the HTML entry point needs invalidation — assets are immutably cached.

Custom Domains and SSL: We configure custom domains with ACM certificates (CloudFront) or Cloudflare's Universal SSL. For multi-region setups, we configure latency-based DNS routing so users hit the nearest CDN edge, which then routes to the nearest origin.

A production CDN setup tailored to your application:

• Distribution configuration — CloudFront or Cloudflare with path-specific cache behaviors
• Origin setup — S3, ALB, or custom origins with keep-alive and failover
• Cache policies — per-path caching rules matching your application's content types
• Edge functions — Lambda@Edge, CloudFront Functions, or Workers for edge logic
• Cache invalidation — automated invalidation wired into your deployment pipeline
• SSL/TLS — custom domain certificates with automatic renewal
• Monitoring — cache hit ratio, error rate, and latency dashboards
• Cost estimation — data transfer and request pricing analysis for your traffic pattern

Always set Cache-Control: public, max-age=31536000, immutable on assets with content hashes in their filenames. This tells the CDN and browsers to cache forever and never revalidate. If the content changes, the filename changes, which is a different cache key. This single header eliminates conditional requests and dramatically reduces latency for returning visitors.

For HTML pages, use Cache-Control: public, max-age=0, must-revalidate with an ETag header. The CDN caches the response but checks with the origin on every request. If the content has not changed, the origin responds with 304 (not modified) and the CDN serves the cached copy. This gives you fresh content with minimal origin load.

Never cache responses that include Set-Cookie headers. If the CDN caches a response with a session cookie, every subsequent user gets that cookie — a session fixation vulnerability. Configure your CDN to strip Set-Cookie from cached responses or exclude those paths from caching entirely.

Monitor your cache hit ratio. A healthy CDN should have 90%+ cache hit ratio for static-heavy sites. If it is below 70%, your cache policies are likely too restrictive or your cache keys include unnecessary parameters (query strings, headers) that fragment the cache.