Devii · Cloud · 2026-04-16 · 7 min read
CDN Caching: Cache-Control, Surrogate Keys, And Purge Strategy
HTTP caching headers and edge purge patterns that match how CDNs actually store objects.
CDNs cache HTTP responses at edge PoPs based on **Cache-Control**, **Expires**, and vendor-specific overrides. RFC 9111 defines HTTP caching semantics. `max-age` and `s-maxage` (shared caches) are the knobs teams use daily.
**Surrogate-Key** (or similar vendor headers) tags responses with logical labels so you can purge related objects without URL-by-URL lists. Useful for CMS pages that share embedded assets or API-driven fragments.
`private` and `no-store` protect personalized HTML and authenticated API payloads from shared caches. Do not mark user-specific JSON as public.
Validate with `curl -I` through the CDN and with origin bypass headers in staging. Misconfigured caching causes subtle auth leaks or stale content incidents.