CDN features and options
Last updated on
This document details the core features and configurations available within the STACKIT Content Delivery Network (CDN).
Feature overview & availability
Section titled “Feature overview & availability”The following table outlines which STACKIT CDN features are currently available and which are still being developed:
| Feature | API | SDK | Terraform/OpenTofu | Portal |
|---|---|---|---|---|
| Create/delete distribution | Available | Available | Available | Available |
| IP/URL origin | Available | Available | Available | Available |
| Bucket origin | Available | Available | Available | WIP |
| Managed domain | Available | Available | Available | Available |
| Custom domain | Available | Available | Available | Available |
| Zero downtime migration | Available | Available | WIP | WIP |
| Managed certificate | Available | Available | Available | Available |
| Custom certificate | Available | Available | Available | Available |
| TLS protocol versions | Available | Available | WIP | WIP |
| Monthly bandwidth limit | Available | Available | WIP | WIP |
| Origin request headers | Available | Available | Available | Available |
| Forward host headers | Available | Available | WIP | WIP |
| Strip response cookies | Available | Available | WIP | WIP |
| Geoblocking | Available | Available | WIP | Available |
| Geofencing | Available | Available | Available | WIP |
| Redirects | Available | Available | WIP | WIP |
| Cache default TTL | Available | Available | WIP | WIP |
| Cache purge | Available | Available | WIP | Available |
| Image Optimizer | Available | Available | Available | Available |
| Built-in log storage | Available | Available | WIP | Available |
| Log sinks | Available | Available | WIP | WIP |
| Metrics | Available | Available | WIP | Available |
Source (origins and backends)
Section titled “Source (origins and backends)”The origin is the definitive source of your content. The STACKIT CDN fetches resources from the origin when they are not in the edge cache or when edge delivery rules exclude them.
There are two backend types available:
- HTTP backend: Connects to any publicly accessible web server via a URL or IP.
- Bucket backend: Specifically designed for S3-compatible storage. It allows the CDN to use stored credentials (access key ID and secret key) to fetch private assets securely.
Domains
Section titled “Domains”Every CDN distribution automatically receives a managed STACKIT subdomain. To use your own branding, you can configure custom domains alongside of the managed domain.
Managed domains
Section titled “Managed domains”By default, STACKIT assigns a subdomain to your distribution as the primary entry point for your website.
This domain follows the format: {uid}.{internal-dns-zone}.cdn.onstackit.cloud
Custom domains
Section titled “Custom domains”You can map your own domain (for example, shop.example.com) to a distribution.
You can also link multiple custom domains to a single distribution.
To set up a custom domain:
- Create a DNS CNAME record that points your domain to the managed STACKIT CDN domain.
- Wait for the DNS record to propagate globally.
- Add the custom domain to your distribution configuration.
Zero-downtime migration
Section titled “Zero-downtime migration”If you are migrating a domain currently in production, use the skipDnsCheck flag during setup.
This allows STACKIT to provision SSL certificates before you switch your DNS records, preventing service interruptions.
Certificates
Section titled “Certificates”All domains require SSL/TLS certificates for security. STACKIT provides two management options:
- Managed certificates: By default, STACKIT provisions and automatically renews Let’s Encrypt certificates for your managed domains. You can enable this feature for custom domains to automate the certificate lifecycle.
- Custom certificates: For specific compliance requirements, you can upload your own PEM-encoded certificates and private keys. These certificates are unmanaged, meaning you must rotate them manually. STACKIT does not send notifications before they expire.
TLS protocol versions
Section titled “TLS protocol versions”By default, only TLS 1.2 and 1.3 are active to ensure a high level of security for your distribution. Support for the older, deprecated versions (TLS 1.0 and 1.1) is disabled out-of-the-box and must be explicitly enabled in your configuration if your specific client requirements demand it.
Monthly bandwidth limit
Section titled “Monthly bandwidth limit”To help control costs and prevent unexpected traffic spikes from exceeding your budget, you can set a monthly bandwidth limit.
- Configuration: Define the maximum amount of bandwidth in bytes (
monthlyLimitBytes) that the distribution is allowed to consume within a single calendar month. - Limit enforcement: Once the monthly data or request limit is reached, the distribution automatically suspends service and serves an error page to all requesters until the next billing cycle begins or the limit is manually increased. During this suspension, the CDN stops forwarding all traffic to your origin.
Edge delivery rules
Section titled “Edge delivery rules”Edge delivery rules allow you to manipulate how traffic is handled at the edge before it reaches the user or your origin.
Request headers
Section titled “Request headers”By default, the CDN forwards all incoming request headers directly to your origin.
You can configure how the Host header is handled using the forwardHostHeader feature.
Enabling this feature allows the original client Host header to be passed through to the origin.
When a request routes through the CDN, the system automatically appends the following headers to provide contextual information about the client and the edge server processing the request:
| Header name | Description | Example value |
|---|---|---|
Cdn-Connectionid | A unique identifier for the client’s connection. | 50273757232 |
Cdn-Host | The CDN hostname handling the request. | 1abcd234ef56ghij789klmnop0.aa.cdn.onstackit.cloud |
Cdn-Ja4 | The JA4 TLS fingerprint of the client. | t12d3415h6_7daa89052771_1eb89897b454 |
Cdn-Loopcount | The number of times the request has routed through the CDN. | 1 |
Cdn-Mobiledevice | Indicates whether the request originated from a mobile device. | false |
Cdn-Proxyver | The version of the proxy software running on the edge server. | 1.51 |
Cdn-Pullzoneid | The unique identifier of the configured pull zone. | 5678910 |
Cdn-Requestcountrycode | The two-letter country code of the client’s location. | DE |
Cdn-Requestid | A unique identifier for the specific request. | e3886a925dc6063cec54e76bdcd0baf3 |
Cdn-Requeststatecode | The state or region code of the client’s location. | BW |
Cdn-Serverid | The identifier of the specific edge server handling the request. | 1330 |
Cdn-Serverzone | The region or zone of the edge server. | DE |
Stackit-Cdn-Host | The STACKIT-specific CDN hostname. | 1abcd234ef56ghij789klmnop0.aa.cdn.onstackit.cloud |
To optimize caching and request handling, the CDN drops the following headers before forwarding the request to your origin:
If-Modified-SinceIf-Unmodified-SinceIf-None-MatchIf-MatchRangeIf-Range
To identify traffic sources and manage backend communication, you can configure custom headers that the CDN includes in every request sent to your origin. This is particularly useful for identifying traffic coming specifically from the CDN or providing basic authentication tokens required by your backend. However, because these headers are stored as plain text, you should avoid using them for high-stakes secrets.
Response headers
Section titled “Response headers”When the CDN returns a response to the client, it includes several headers detailing the cache status, edge server information, and response metadata.
Standard HTTP response headers (such as Cache-Control or Content-Type) can potentially be cached from your origin server.
Conversely, headers prefixed with Cdn- are generated and appended exclusively by the CDN itself.
| Header name | Description | Example value |
|---|---|---|
Cdn-Cache | Indicates the cache status of the request (e.g., HIT or MISS). | HIT |
Cdn-Cachedat | The date and time when the asset was stored in the cache. | 04/24/2026 11:40:50 |
Cdn-Edgestorageid | The identifier for the edge storage node serving the content. | 1330 |
Cdn-Proxyver | The version of the proxy software that processed the response. | 1.51 |
Cdn-Pullzone | The identifier of the pull zone serving the response. | 5678910 |
Cdn-Requestcountrycode | The two-letter country code of the client receiving the response. | DE |
Cdn-Requestid | The unique identifier for the request. | e3886a925dc6063cec54e76bdcd0baf3 |
Cdn-Requestpullcode | The HTTP status code returned by the origin during a pull. | 200 |
Cdn-Requestpullsuccess | Indicates whether the origin pull was successful. | True |
Cdn-Requesttime | The time taken to process the request (in milliseconds). | 0 |
Cdn-Status | The HTTP status code the CDN returns to the client. | 200 |
Strip response cookies
Section titled “Strip response cookies”To increase security or ensure that sensitive session data is not leaked via the CDN, you can enable the stripResponseCookies flag.
When enabled, the CDN intercepts the response from your origin and removes all Set-Cookie headers before the response is forwarded to the end user.
This is particularly useful for distributions serving purely static content where origin-level cookies are not required by the client.
Geoblocking and geofencing
Section titled “Geoblocking and geofencing”Control access to your content based on user geographic location.
| Feature | Action |
|---|---|
| Geoblocking (regional) | Blocks traffic from specific countries or continents by null-routing or gateway blocking. |
| Geoblocking (IP) | Blocks specific IP addresses or CIDR ranges using security rules. |
| Geofencing | Redirects users or selects different origins based on the Cdn-RequestCountryCode header. |
Redirects
Section titled “Redirects”Force users to new locations using standard HTTP status codes.
- Supported codes:
301(Permanent),302(Found),307(Temporary), or308(Permanent). - Matchers: Rules use glob patterns (e.g.,
/shop/*) to trigger redirects based on the request path.
The STACKIT CDN accelerates content delivery by storing copies of your assets in edge locations across your selected regions (EU, US, AF, SA, ASIA). This reduces latency and minimizes the load on your origin server.
Default cache duration (TTL)
Section titled “Default cache duration (TTL)”The time to live (TTL) determines how long an asset remains in the CDN cache before it is considered stale and must be fetched again from your origin.
- Origin headers: By default, the CDN respects cache-control headers sent by your origin server.
- Custom default TTL: If your origin does not provide a cache-control header, the CDN applies the default cache duration defined in your distribution configuration.
When you update content at your origin, the CDN may still serve the older version until the TTL expires. To force the CDN to fetch the latest version immediately, you must perform a manual purge.
There are different purge strategies available:
- Full purge: Invalidates the entire cache for the distribution. While effective, a full purge for a large website can cause a “cache stampede,” where a massive volume of simultaneous requests hits your origin server to repopulate the cache.
- Granular (Path-based) Purge: Invalidates only a specific path (e.g.,
/static/styles.css). This is the recommended approach for most updates, as it maintains the cache for unaffected assets and reduces the load on your origin.
To optimize your caching strategy, use the logging tools of STACKIT CDN to identify which assets are served from cache versus those causing origin pressure.
Image Optimizer
Section titled “Image Optimizer”The Image Optimizer is a feature designed to dynamically enhance your media assets at the edge.
It provides real-time, on-the-fly image manipulation and optimization. By automatically compressing, resizing, and formatting your images before they reach the end user, the Image Optimizer ensures faster image delivery, drastically reducing bandwidth consumption and improving overall page load times.
Logging and monitoring
Section titled “Logging and monitoring”STACKIT CDN provides logging and monitoring tools to help you analyze traffic, investigate security events, and optimize performance. You can access this data through the STACKIT interfaces or by streaming it to an external destination.
Built-in log storage
Section titled “Built-in log storage”By default, STACKIT CDN stores the 10.000 most recent log entries from the past hour. You can query these logs directly via the API to perform quick troubleshooting or traffic analysis. A log entry contains the following information:
| Field | Description |
|---|---|
| Status | The HTTP status code returned to the client (e.g., 200, 404). |
| Timestamp | The exact date and time (UTC) the request was processed. |
| Remote country | The ISO 3166-1 alpha-2 country code where the request originated. |
| Cache | Indicates if the request was a HIT (served from cache) or a MISS (fetched from origin). |
| Size | The total volume of data transferred in the response, measured in bytes. |
| Data center | The identifier of the specific CDN edge location that handled the request. A list of data centers is available here. |
| Path | The URL path of the requested resource. |
Log sinks
Section titled “Log sinks”If you require retention longer than one hour or need to store more than 10.000 entries, configure a log sink. A log sink exports your logs to an external observability platform in real time.
Currently, STACKIT CDN supports Grafana Loki as a log sink destination.
Depending on the traffic your distribution receives, the volume of log data can grow rapidly. Ensure your external logging infrastructure is scaled to handle the expected ingestion rate and storage requirements.
Metrics
Section titled “Metrics”In addition to granular logs, STACKIT CDN provides high-level metrics to monitor the health and efficiency of your distribution.
- Cache hit ratio: Cache Hit Ratio: The percentage of requests served from the edge cache versus the origin. Aim for 80%-95%+ for static sites. A low ratio often suggests restrictive cache-control headers or excessive cache purging.
- Total usage: The total traffic volume (in bytes) processed by your distribution. Use this to monitor bandwidth consumption and forecast costs.
- Regional breakdown: Usage segmented by geographic region (e.g., EU, US, ASIA). This helps identify the location of your audience to optimize regional settings.