Every time a browser requests a web page, an invisible conversation takes place in just a few milliseconds. In this exchange, client and server don't just swap content (the HTML or images) — they also exchange a series of critical instructions: the HTTP headers.
These headers determine how traffic behaves, how caching works, and how user privacy is protected. Processing them at the edge makes it possible to solve complex infrastructure challenges without touching a single line of code on the origin servers. In this post, we explore two critical capabilities you should master to move beyond using your CDN as a simple cache and start leveraging it as an intelligent cybersecurity and performance layer: dynamic backend routing and exclusive access control.
1. Dynamic Routing: Changing the Backend Based on Headers
What if you could route your users to different servers without them noticing and without changing the URL? This is the magic of changing the backend based on headers.
A very common use case is country-based routing. For example, if you run an international newspaper, you don't want a user in Miami having to cross the Atlantic to fetch content from a server in Madrid.
With just a few lines of VCL, you can ensure that the American user talks to the American server, reducing load time (TTFB — Time to First Byte) by more than half. In Perimetrical, this can be configured using the geo_country_code header:
sub vcl_recv{
# Default backend
set req.backend_hint = c82_tcdnes.backend();
# Changing backend for Spanish users
if (req.http.geo_country_code ~ "ES") {
set req.backend_hint = c82_tcdnes.backend();
}
# Changing backend for American users
if (req.http.geo_country_code ~ "US") {
set req.backend_hint = c82_tcdnus.backend();
}
}Other Uses of Dynamic Routing
- Canary deployments and beta testing: you can route your employees or a group of beta testers (identified by a header such as
X-Beta-User: true) to a server running the new version of your website, while regular users continue using the stable version. - Risk-free migrations: if you're moving your website from an old server to a new one, you can progressively redirect traffic based on specific headers to make sure everything works before the final switchover.
- Device segmentation: you can direct requests from a mobile app (identified by the User-Agent) to an API-optimized backend, and desktop requests to one optimized for web rendering.
2. Advanced Security: Allowing Traffic Only with a Specific Header
Sometimes, you don't want your content to be public to everyone, or you want to make sure only certain applications can consume your resources. In cybersecurity terms, this is what we call token validation at the edge. By checking auth-tcdn headers, you can block unauthorized requests right at the edge. This doesn't just protect your data — it also saves bandwidth and CPU on your servers, since malicious traffic never reaches them.
sub vcl_recv{
if (req.http.auth-tcdn != "e37be3f5e06e263445654c0d6ba0e123") {
call deny_request;
}
}Common Uses of This Security Layer
- Origin server protection: you can configure your infrastructure to only accept requests that come directly from the CDN. By adding a secret header between the CDN and your origin, you block any attack attempt that tries to bypass CDN protection.
- Exclusive access: if you offer an API, you can allow traffic only from clients that send a specific authentication header. If the header is missing or incorrect, Perimetrical blocks the request at the edge before it consumes your server resources.
- Preventing hotlinking: prevent other websites from using your images or resources by verifying the Referer header.
Mastering HTTP headers is the first step toward optimizing how you use your CDN. Whether you're testing new features without risk or locking down access to your data, the flexibility offered by languages like VCL in Perimetrical is your best ally.
Need to implement custom backend logic? Our technical team can help you design the perfect VCL rule for your use case.
Get started