The guide library.
Step-by-step technical references, written from practice, stamped with a last-verified date — and each one ends with a worksheet you can take into the room.
Trusted by 100+ enterprises worldwide
Technical guides, verified and dated.
How-to references written from practice: benchmarks, contracts, migrations, security and multi-CDN operations. Each guide carries a last-verified date and ends with a worksheet you can take into the room. New guides publish in batches — one hundred live today, the full library is on its way.
A step-by-step method for benchmarking CDN candidates against your real traffic.
The eight contract clauses that decide what a CDN deal really costs.
A staged CDN cutover plan.
Request hit ratio versus byte hit ratio, where each is reported, what values are healthy per content type, and.
The criteria that decide video CDN selection.
The edge security settings every deployment should enable.
How to run two CDNs with automatic failover.
A 120-day renewal playbook.
The edge log fields worth keeping, retention tiers that balance cost against investigations, delivery options .
What ICP filing and licensing actually require, the three delivery architectures available to foreign companie.
Replace the feature wishlist with workloads, numbers and disqualifiers that actually separate vendors.
A five-day elimination method that turns the whole vendor field into three testable candidates.
Turn 14 trial days into an experiment: real traffic, deliberate failures, verdicts written before expiry.
Six line items, your traffic profile, and the sensitivity checks that catch bill surprises early.
Dots vs served traffic, peering vs presence — the questions that turn a map into evidence.
The provider-agnostic first hour: origin, zone, TLS, verify it's actually caching, cut over.
Subdomain CNAMEs, the apex problem, TTL strategy — the records that keep your estate flexible.
The cookie and admin exclusions, publish-time purging, and the checks before you trust it.
The four-tier content model, cart-safe rules, and sale-day preparation for stores.
Immutable bundles, fresh index.html, route fallbacks and deploys that never strand users.
What the edge buys at zero caching, which endpoints can micro-cache, and the rules that keep it safe.
What the indirect channel actually does, where its economics come from, and what to demand.
Criteria before access, numbers on thresholds, failure days in scope — PoCs that produce decisions.
What belongs in the key, what to normalize out, and the audit that finds fragmentation.
Four questions that land every asset class on a defensible number, not folklore.
What each directive really means — including the ones everyone misreads — and the combinations to memorize.
SWR and stale-if-error per platform, the windows to choose, and rails for content that must not lie.
The three purge types, surrogate-key design, event wiring, and stampede protection.
Content hashes vs query versions, the reference chain rule, deploy order and retention windows.
Ten ranked levers from key normalization to HTML caching, each with its expected gain.
The anonymous split, bypass rules, personalized-fragment patterns and pre-launch leak tests.
Cookie rules that separate session from noise, Vary's legitimate uses, and the audit for both.
The three signals it pays, shield placement, per-platform cost shapes, and verifying the collapse.
What to compress, the two-track level strategy, variant caching, and where Zstandard stands.
The format ladder, URL-based variants, responsive sizing, and metering that controls cost.
Font subsetting and self-hosting, the end of the shared-cache myth, and taming the third-party tail.
Alt-Svc, the toggle, and the three checks that prove QUIC is carrying real traffic.
The handshake is a tax on every new connection. Resumption, stapling and a lean chain cut it.
Use the server think-time. What to hint, what to skip, and how to measure the LCP shift.
One number, five ingredients. Split DNS, connect, TLS, edge and origin before blaming anyone.
Fewer checks, better placed, with alert rules a human can defend at 3 a.m.
Field data is the truth. Ship the beacon safely, sample sanely, and tag every beacon with the splits you'll need.
Cache status, timing pairs, bytes and protocol — the grammar of the edge, one line at a time.
Same origin, same config, same clients, warmed caches — or the numbers are theatre.
Reproduce, split client/edge/origin, then walk the branch. Twenty minutes to an owner, not a shrug.
First users shouldn't pay the miss tax. Build the URL list, warm per POP, verify with headers.
Forecast, harden origin, pre-stage a degradation plan, warn the vendor, staff the war room.
Fewer fetches, cheaper fetches, gentler fetches — the three families between edge and origin.
High RTT, lossy radio, data-priced users. Engineer for the far network, win everywhere.
Observe first, measure the false positives, carve the exceptions, then block in stages — the rollout order that never takes down a checkout.
Rank rules by friction, classify every match, scope the fix to path and parameter, and regression-test — the loop that ends WAF whack-a-mole.
Pick the counting key, set budgets from measured p99s — not guesses — and choose penalties that de-escalate. Plus the CGNAT trap that burns per-IP limits.
Three lanes — verified crawlers pass, hostile automation is blocked, the ambiguous middle gets challenged — and the allowlist that keeps Googlebot and your own app out of the crossfire.
Hiding the IP is step one, not the plan. The four-rung ladder: clean IP hygiene, edge allowlists, secret headers or mTLS, and private connectivity when stakes justify it.
URLs for single objects, cookies for whole libraries; what belongs in the token, dual-key rotation that never locks users out, and the cache-key trap that shreds hit ratio.
One edge rule covers every response. The baseline five, the values that fit most sites, and the two headers — HSTS preload and CSP — that punish copy-paste without thought.
Attacks are survived on a quiet Tuesday: contacts and escalation paths, pre-approved switches, traffic baselines, comms templates — written down before the first packet.
Lifetimes collapse from 398 days to 200 now, 100 in 2027, 47 by 2029 — CDN-managed issuance, custom-cert automation, the origin side, and the monitoring that catches what slips.
A compliance and abuse-shaping tool, not a security boundary: what IP geolocation can and cannot promise, honest 403s vs quiet nulls, and the VPN question answered per use case.
Security decays by drift, not drama. Ten checks in half a day: origin exposure, TLS floor, WAF exceptions, token and access hygiene, dangling DNS — run empirically, from outside.
Ride it out or route around it — the answer is decided before the incident: independent detection, an honest diagnosis tree, pre-priced options and the evidence the SLA claim needs.
Attackers choose which edge to attack, so protection equals the weakest CDN. The parity matrix, portable-vs-native control decisions, token compatibility, and tests that catch drift.
One chain from camera to player — and three cache classes with opposite rules. Manifests near-zero, segments long, init fragments forever: the settings that fan one origin out to a million viewers.
Immutable segments, year-long TTLs, one CMAF copy instead of two, session-scoped tokens that never touch the cache key — VOD is the friendliest workload a CDN has, if you let it be.
First frame = page + player + manifest chain + init + first segments, all sequential. Shorten the chain, start on the right rung, keep the head of every title hot — the checklist toward one second.
The buffer drained faster than delivery refilled it — but where? Measure, localize by dimension, attribute to ladder, ABR, cache or peering, then fix in the order that usually wins.
Parts, preload hints and blocking playlist reloads take live from 20+ seconds to 2–5 — if packager, CDN and player all cooperate. What each must do, and when standard latency is the wiser buy.
Tokens gate the door, DRM locks the file, watermarking names the leaker — three layers doing three different jobs, applied by content value, not by fear.
Millions of clients, tens of gigabytes, minute zero. Warn the CDN in writing, pre-warm every chunk, range-split the payload, stagger the rollout — the launch-day playbook.
Immutable versioned paths, byte-range resumes, deltas for the bandwidth, staged percentage rollouts with a kill switch, and a second path for the bad day — update plumbing done right.
MP3s behind a CDN — plus the traps: measurement prefixes stacking redirects, IAB range-counting rules, release-morning spikes, and RSS polled by every app on earth.
Every uploaded file is adversary-authored until proven otherwise: signed direct uploads, transcode-everything normalization, a separate cookieless domain, and takedown purges that verifiably land.
Personalize the playlist, never the media: session manifests bypass cache, content and ad segments stay shared, tracking beacons live off the media path — SSAI without the delivery tax.
Concurrency × bitrate = the terabits you must book, not hope for. The worked capacity maths, provider bookings in writing, the dress rehearsal, and the war-room ladder for the night.
Four numbers tell the story: startup time, stall ratio, delivered quality, failure rate — measured at the player, cut by ASN/CDN/device, alerted on the cuts where trouble actually starts.
It buys availability, reach and leverage; it costs engineering, parity and hit ratio — forever. Five scored questions that end the debate with a defensible yes, no, or not-yet.
Active-passive, weighted active-active, performance steering, client-side switching — four patterns, rising in power and demands. Choose by what must survive, not by what demos well.
Weighted CNAMEs, health checks that test what users need, TTLs low enough to act and high enough to survive — and the resolver realities that decide how fast steering really is.
Two rule engines, one intended behaviour: express intent in code, translate per platform, push every change through one process, and let a cross-edge test suite — not memory — prove parity.
Three axes decide who serves what: ratios sized to commits and confidence, geographies assigned on measured evidence, workloads homed where each platform is strongest — reviewed on a calendar.
The traffic moves in minutes; the craft is what survives the move: sessions independent of the edge, tokens and certs valid on both, the long-poll tail handled, the drill rehearsed.
Segments make video uniquely switchable: retry-on-failure, standardized content steering, or full player-side selection — three tiers from insurance to per-segment optimization.
Two CDNs means twice the origin fetches — and cloud egress bills every byte. A neutral zero-egress store as the shared origin removes the tax; here is the setup and the fine print.
Every edge runtime is someone’s walled garden. Keep the logic thin, code to web-standard interfaces, treat vendor state as a cache, and keep a ledger of every tie you accept.
Build the destination in shadow, prove it with the parity suite, move traffic in percentage waves with the return path open, and only then — deliberately — decommission the source.
Evaluate with your traffic, not their brochure: log-driven replay, side-by-side response diffing, then a real dark-launch slice — three fidelities of shadow, run with provider etiquette.
Every hostname, valid on every platform, on 200-day-and-shrinking lifetimes — plus a DNS layer promoted to control plane. The delegation patterns and monitoring that keep it boring.
Users measure, traffic follows: per-ASN-per-CDN scores from your own RUM, decision rules with damping and minimum samples, and guardrails that keep the control loop from oscillating.
Regional tiers, request fees, feature add-ons, support percentages, overage — each line decoded, reconciled against your own logs, and checked for the drift that creeps in quietly.
Trend extrapolation for the base, driver-based modelling for the why, event build-up for the spikes — combined with error bands and refreshed monthly. Plus when each method lies.
Undercommit pays overage on the excess; overcommit pays for ghosts. The break-even maths across your forecast distribution, a worked example, and the terms that soften both tails.
Configuration beats negotiation on speed: hit ratio, compression, image bytes, log diet, request count, regional mix, storage moves, feature audit, commit fit, split leverage — ranked by payback.
A shared invoice is an unowned invoice. Map hostnames and paths to products, meter usage from logs, rate it into money, split the shared remainder by written rules — and publish it monthly.
Not the vendor’s SLA and not a wish: user-centric SLIs, targets derived from your own baseline, and error budgets that actually gate releases and spending decisions.
Take the meeting back: your scorecard opens, incidents arrive with asks attached, the commercial position is stated plainly, and every item leaves with an owner and a date.
Credits are claimed, not granted: know the SLA’s measurement rules before the incident, capture independent evidence during it, file inside the deadline — and price the credit honestly.
Hostnames, providers, origins, DNS, certs, contacts, contract dates, runbook links — one page, in version control, linked from the incident channel, and kept true by habit, not heroics.
Week one: concepts and the estate tour. Week two: logs, purge, dashboards hands-on. Week three: real changes, supervised. Week four: drills. Signed off against a checklist, not vibes.
The edge scales; your obligations don’t scale themselves. Seasonal curve, event calendar, regional growth, provider notification thresholds, and a written headroom policy — one page, reviewed quarterly.
The year, accounted for: traffic and spend vs forecast, SLO attainment, incident themes, security and vendor posture — compressed into next year’s decisions, owners attached.
