What is a CDN?

A Content Delivery Network is a globally distributed mesh of servers that sits between your origin and your visitors. When a request comes in, the CDN serves it from the nearest edge location instead of round-tripping all the way to your origin. Faster for the user, cheaper for you, harder for attackers.

What you get

• Latency reduction. Static assets — JS bundles, CSS, images, fonts — live in cache at hundreds of points of presence. A user in Tokyo gets your site from a Tokyo edge in 5 ms instead of crossing the Pacific for 150 ms.
• Origin shielding. Most requests never touch your origin server. Your backend can run on a tiny VPS while still surviving viral traffic.
• TLS termination. The CDN does the TLS handshake; your origin can run plain HTTP over a private link. Lower CPU on origin, more locations for cert auto-renew.
• DDoS mitigation. Tier-1 CDNs absorb attacks measured in terabits per second. You couldn't if you tried.
• WAF + bot management. Layer 7 filtering at the edge — blocks SQL injection attempts, scrapers, credential stuffing before they reach you.
• Image / video optimisation. Many CDNs transcode on the fly: send the right format (AVIF, WebP, MP4) for each device.
• Edge compute. Modern CDNs (Cloudflare Workers, Fastly Compute@Edge, AWS Lambda@Edge, Vercel Edge Functions) let you run your code at the edge, not just cache assets.

How a request actually flows

1. Your domain's DNS A record points at a CDN-provided IP, not your origin. Anycast routing drops the user at the closest edge.
2. The edge node checks its cache. Cache hit: served immediately. Cache miss: fetches from origin (often via a "tier 2" shield closer to origin), stores the result, and serves it. Subsequent users in that region get the cached copy.
3. Cache validity is governed by Cache-Control headers your origin sends. max-age=31536000, immutable for content-hashed assets; no-store for live data.

The big providers

• Cloudflare — 300+ cities, generous free tier, broad feature set (WAF, Workers, R2 storage, Zero Trust). Best default for most projects.
• Akamai — the original (1998), strong enterprise + media-streaming presence, complex pricing.
• Fastly — VCL-based config (very expressive), strong dev community, loved by news media + content sites.
• AWS CloudFront — tight integration with the rest of AWS, the obvious choice if your origin's already there.
• Bunny.net, KeyCDN, BunnyCDN — cheaper, smaller, fine for static-asset delivery.

Trade-offs

• TLS visibility. The CDN sees your decrypted traffic by definition. You're trusting them with whatever your users send. Most are fine; pick one with a privacy story you're comfortable with.
• Origin-IP leakage. If your origin IP is ever exposed (DNS history, email headers, careless tooling), attackers can bypass the CDN and hit it directly. Lock origin firewalls to CDN IP ranges.
• Cache invalidation pain. Famous one. The traditional answer is content-hashed URLs so you never invalidate, you just publish new URLs.

Want to know if an IP belongs to a CDN? IPFerret detects most major ones — visit the Cloudflare ASN page as an example, or look up any IP at /whois.