Cache CSS/JS aggressively
Speed up assets with GET/HEAD, 200/301/302/304 responses, and a 1-day or longer TTL; remove campaign tracking parameters from the cache key.
CDN.com.tr Help
Configure domain/path cache key, TTL, methods/statuses, headers/cookies, optimization, and rate-limit rules.
Cache, security, WAF, and purge
Configure domain/path cache key, TTL, methods/statuses, headers/cookies, optimization, and rate-limit rules.
These examples use safe WordPress-origin scenarios for static files, query strings, headers/cookies, and sensitive session paths.
Speed up assets with GET/HEAD, 200/301/302/304 responses, and a 1-day or longer TTL; remove campaign tracking parameters from the cache key.
Bypass cache when a session or cart cookie is present; wp-admin and wp-login paths should never enter shared cache.
Ignore Set-Cookie or Cache-Control for cache decisions, hide X-Origin-Debug/X-Powered-By from users, and enable upstream debug only temporarily.
For API-like paths, include only content-changing query parameters in the cache key and set a request limit.
Narrow the rule by domain, protocol, and path regex before changing behavior; broad `/` rules need deliberate review.
Keep query parameters in the cache key only when they change the content; tracking parameters usually get removed.
Personalized, cart, and admin content should bypass cache; static and anonymous content can receive TTL.
Ignoring an origin header for cache decisions is different from hiding it from the client.
Account-level presets set the broad behavior; Add Rule writes precise behavior for a domain/path.
Expected result: The rule modal opens and the new rule is prepared within the selected account scope.
cdnctl accounts list
export ACCOUNT_UUID=<selected_account_uuid>
cdnctl cdn advanced-rules list --account "$ACCOUNT_UUID" --format table
These fields decide which requests the rule matches; an overly broad regex can change the whole site.
Expected result: The rule matches only the target hostname and paths.
cat > rule-static-assets.json <<EOF
{"server_domain_names":["www.example.com"],"type":["http","http2"],"path_regex":"^/cdn-help/rules/(cache-demo\\.css|query-demo\\.json)$"}
EOF
cdnctl cdn advanced-rules validate --account "$ACCOUNT_UUID" --file rule-static-assets.json
For static files, remove tracking query parameters from the cache key and keep only real variants.
Expected result: Anonymous CSS/JSON objects are cached without splitting cache by unnecessary query parameters.
jq '. + {"cache_query_mode":"ignore_list","cache_query_params":["utm_*","gclid","fbclid","msclkid"],"cache_valid_time":"1 day","allowed_cache_methods":["GET","HEAD"],"allowed_cache_responses":["200","301","302","304"],"response_cache_times":{"200":"1 day","301":"1 week","302":"2 hours","304":"1 day"}}' rule-static-assets.json > rule-static-assets-cache.json
cdnctl cdn advanced-rules validate --account "$ACCOUNT_UUID" --file rule-static-assets-cache.json
Admin, login, cart, and checkout paths should preserve origin behavior instead of returning cache hits.
Expected result: Session requests do not return shared cached content to another user.
cat > rule-wordpress-sensitive.json <<EOF
{"server_domain_names":["www.example.com"],"type":["http","http2"],"path_regex":"^/(wp-admin|wp-login\\.php|cart|checkout)(/.*)?$","bypass":"on","bypass_by_cookie":"wordpress_logged_in\nwoocommerce_cart_hash\nwp_woocommerce_session_","limit":30,"per_time":10}
EOF
cdnctl cdn advanced-rules validate --account "$ACCOUNT_UUID" --file rule-wordpress-sensitive.json
Decide separately whether origin headers affect cache decisions and whether they are exposed to browsers.
Expected result: Origin headers are controlled deliberately and debug is not left enabled in production traffic.
jq '. + {"ignore_headers":["Cache-Control","Set-Cookie"],"hide_headers":["X-Origin-Debug","X-Powered-By"],"custom_headers":"X-Forwarded-Host: $host\nX-CDN-Rule-Debug: temporary","debug_upstream_headers":true,"image_optimization":"on","white_space":"on"}' rule-static-assets-cache.json > rule-headers-debug.json
cdnctl cdn advanced-rules validate --account "$ACCOUNT_UUID" --file rule-headers-debug.json
Because Save can trigger live apply flow, the final check is path/domain/TTL/header based.
Expected result: After operation success, matching requests show the new cache/header/rate-limit behavior.
cdnctl cdn advanced-rules create --account "$ACCOUNT_UUID" --file rule-headers-debug.json
cdnctl operations list --account "$ACCOUNT_UUID"
curl -I "https://www.example.com/cdn-help/rules/cache-demo.css?utm_source=test"
curl -I -H "Cookie: wordpress_logged_in=redacted" "https://www.example.com/wp-admin/"
WordPress admin/cart bypasses cache while static assets and anonymous JSON paths are cached deliberately.
Use WAF logs to explain blocked or challenged traffic without exposing internal log systems.
Purge a path, saved path, or the whole account and separate CDN cache from browser cache.
Use the X-Proxy-Cache-MT response header to see exactly what the CDN did with a request and to verify that caching works as intended.