Skill

cdn-engineering

CDN (CloudFront/Cloudflare/Fastly) disipline — cache key composition (URL + Vary + cookie/query whitelist), TTL strategy (s-maxage CDN + max-age browser + stale-while-revalidate + stale-if-error), origin shield, purge (single/wildcard/tag/all), signed URL (CloudFront/Cloudflare/Fastly token), image optimization (AVIF/WebP edge transform), HLS/DASH streaming, multi-CDN failover (DNS health check + RUM routing), edge compute (Workers/Lambda@Edge/Compute@Edge), TLS termination Full(strict), WAF + DDoS, RUM, cost tracking.

npx claudepluginhub resultakak/argos --plugin argos

Tool Access

This skill uses the workspace's default tool permissions.

Preview

`agents/shared/severity-rubric.md` ve `agents/shared/escalation-matrix.md`

SKILL.md

Similar Skills

using-superpowers

185.1k

Mandates invoking relevant skills via tools before any response in coding sessions. Covers access, priorities, and adaptations for Claude Code, Copilot CLI, Gemini CLI.

3 files

superpowers

Stats

Stars0

Forks0

Last CommitMay 11, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

CDN Engineering

Ortak Doktrin

agents/shared/severity-rubric.md ve agents/shared/escalation-matrix.md default-load sayılır (agents/coordination.md §11). Bu skill'in çıktısı Critical / High / Medium / Low + kanıt formatında olmak zorunda — spekülatif Critical yasak. Sahiplik dışı bulgu ilgili agent'a delege; karar yetkisi eşiği aşılırsa kullanıcı onayı zorunlu.

Felsefe

Cache key explicit — default-cached yanıltıcı.
TTL doğru ölçü — s-maxage ≠ max-age.
Stale-while-revalidate edge'de altın standart.
Purge eventually consistent — versioned URL > purge.
Origin shield — origin'i N POP'tan değil 1'den vur.
Multi-CDN failover SaaS-critical.
WAF + DDoS edge'de.

Ne Zaman Kullanılır

Yeni site / API CDN onboarding
Cache hit rate düşük (< %70)
Origin overwhelmed (egress spike, latency)
LCP regresyon (CDN miss veya konfig kötü)
Multi-CDN failover kurulum (vendor outage incident sonrası)
Image optimization (mobile data savings)
HLS/DASH video streaming
Signed URL private content
Edge compute (A/B at edge, auth)
Cost optimization (egress, requests)
WAF + DDoS audit
TLS cert lifecycle

Workflow

1) Discovery — current state

# Cache hit rate
curl -I https://acme.com/index.html | grep -i "cf-cache-status\|x-cache\|age"
# CloudFront: X-Cache: Hit from cloudfront
# Cloudflare: cf-cache-status: HIT
# Fastly: x-cache: HIT, HIT

# TTL headers
curl -I https://acme.com/api/products | grep -iE "cache-control|vary|surrogate"

CDN dashboard:

Hit rate per zone / path
Bandwidth + request count
p50/p95 RTT per POP
Error rate

Hedef: > %85 hit rate static; > %60 dynamic.

2) Cache key audit

# Cloudflare cache rule
cache_key:
  custom_key:
    query_string: { include: [page, size, sort] }     # tracker (utm_*) exclude
    header: { include: [Accept-Encoding, Accept-Language] }
    cookie: { include: [session_id, locale] }
    host: { resolved: true }
  ignore_query_strings_order: true

CloudFront equivalent: Cache Policy + Origin Request Policy.

3) TTL matrix

Site başına:

Path	Browser	CDN	SWR	Notes
`/_/assets/*`	1y	1y	—	immutable versioned
`/index.html`	5 sn	5 dk	2 dk	personalization yok
`/api/products`	60 sn	5 dk	2 dk	catalog
`/api/orders`	0	0	—	no-store private
`/images/*`	1d	1y	10 dk	content-hash URL
`/sitemap.xml`	10 dk	1 saat	10 dk

Origin'den:

Cache-Control: public, max-age=60, s-maxage=300,
               stale-while-revalidate=120, stale-if-error=86400
Vary: Accept-Encoding, Accept-Language
Surrogate-Key: product-catalog homepage

4) Origin shield enable

CloudFront:

{
  "OriginShield": {
    "Enabled": true,
    "OriginShieldRegion": "eu-west-1"
  }
}

Cloudflare: Argo Tiered Cache settings. Fastly: Shielding per service config.

5) Purge strategy

Surrogate-Key header origin'den:

Cache-Control: public, max-age=3600
Surrogate-Key: user-123 product-456 catalog-page

Tag-based purge:

# Cloudflare tag purge
curl -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE/purge_cache" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{"tags": ["product-456", "catalog-page"]}'

# Fastly surrogate key
curl -X POST "https://api.fastly.com/service/$SVC/purge/product-456" \
  -H "Fastly-Key: $TOKEN"

CloudFront tag purge yok — invalidation path-based; wildcard:

aws cloudfront create-invalidation \
  --distribution-id E123 --paths "/products/456" "/catalog/*"

Critical update → versioned URL (cache-bust) > purge.

6) Signed URL

# CloudFront
from botocore.signers import CloudFrontSigner
import datetime

def signed_url(resource: str, expire_seconds: int = 3600) -> str:
    expire = datetime.datetime.utcnow() + datetime.timedelta(seconds=expire_seconds)
    signer = CloudFrontSigner(KEY_PAIR_ID, rsa_sign_func)
    return signer.generate_presigned_url(resource, date_less_than=expire)

// Cloudflare Workers signed URL
const SECRET = env.SIGN_SECRET;
async function sign(url, expireUnix) {
  const data = `${url}${expireUnix}`;
  const key = await crypto.subtle.importKey(
    'raw', new TextEncoder().encode(SECRET),
    { name: 'HMAC', hash: 'SHA-256' }, false, ['sign'],
  );
  const sig = await crypto.subtle.sign('HMAC', key, new TextEncoder().encode(data));
  return `${url}?expires=${expireUnix}&signature=${btoa(String.fromCharCode(...new Uint8Array(sig)))}`;
}

Disiplin: expire ≤ 24h; KMS key rotation 90g; IP allowlist (opsiyonel).

7) Image optimization

<picture>
  <source type="image/avif" srcset="
    /image/cat.jpg?w=400&format=avif 1x,
    /image/cat.jpg?w=800&format=avif 2x
  ">
  <source type="image/webp" srcset="
    /image/cat.jpg?w=400&format=webp 1x,
    /image/cat.jpg?w=800&format=webp 2x
  ">
  <img src="/image/cat.jpg?w=400" loading="lazy" alt="cat" width="400" height="300">
</picture>

Edge transform:

Cloudflare Image Resizing (/cdn-cgi/image/width=400,format=auto/...)
Fastly IO
Cloudinary / Imgix (SaaS)
AWS Serverless Image Handler (Lambda@Edge)

Origin: single high-res; edge transform + cache.

8) HLS/DASH

# origin
location /hls/ {
  add_header Cache-Control "public, max-age=5, s-maxage=10";   # manifest
}
location /hls/segments/ {
  add_header Cache-Control "public, max-age=31536000, immutable";  # segment
}

Low-latency HLS (LL-HLS): chunked transfer; segment 2-6s; sub-2s glass-to-glass.

9) Multi-CDN failover

DNS-level (NS1 / Route 53 / Cedexis):

# NS1 weighted + health
records:
  - { answer: cf.acme.com, weight: 70, health_check: cf-health }
  - { answer: fastly.acme.com, weight: 30, health_check: fastly-health }
health_check:
  cf-health: { type: http, url: https://cf.acme.com/_health, interval: 30s }

RUM-based routing: client-side beacon → DNS provider hangi POP en hızlı.

10) Edge compute örnek

// Cloudflare Worker — A/B test at edge
export default {
  async fetch(request, env) {
    const url = new URL(request.url);
    if (url.pathname === '/checkout') {
      // Consistent assignment per user
      const cookie = request.headers.get('cookie') || '';
      let variant = cookie.match(/exp=([ab])/)?.[1];
      if (!variant) {
        variant = Math.random() < 0.5 ? 'a' : 'b';
      }
      url.pathname = variant === 'b' ? '/checkout-new' : '/checkout';
      const response = await fetch(url, request);
      const newResp = new Response(response.body, response);
      newResp.headers.append('Set-Cookie', `exp=${variant}; Path=/; Max-Age=2592000`);
      return newResp;
    }
    return fetch(request);
  },
};

/experiment-design skill bağı.

11) TLS hardening

[client] --TLS 1.3--> [CDN] --TLS 1.2+--> [origin]
                          Full (strict)

Cloudflare SSL mode: Full (strict) zorunlu; Flexible yasak.

Origin cert: Cloudflare Origin CA (15 yıl, origin-only) veya Let's Encrypt ile DNS-01 validation.

12) WAF + DDoS + Origin lock

# CloudFront — origin custom header (CDN-only allow)
custom_header:
  name: X-CDN-Auth
  value: $SECRET_TOKEN

# origin (nginx)
if ($http_x_cdn_auth != "$SECRET_TOKEN") {
  return 403;
}

Cloudflare prefix list IP allowlist (origin SG):

curl https://api.cloudflare.com/client/v4/ips/v4
# nginx allow + deny all

WAF managed rules: OWASP CRS, Bot Management.

13) RUM kurulum

<script src="https://cdnjs.cloudflare.com/ajax/libs/web-vitals/4/web-vitals.iife.js"></script>
<script>
window.webVitals.onLCP(({value}) => beacon('lcp', value));
window.webVitals.onINP(({value}) => beacon('inp', value));
window.webVitals.onCLS(({value}) => beacon('cls', value));
</script>

Beacon → CDN edge logger (Cloudflare Analytics, Datadog RUM).

14) Cost dashboard

Metric	Threshold	Alert
Cache hit rate	< %70	warn; < %50 page
Bandwidth / 24h	baseline +%20	warn
Egress USD / day	baseline +%30	page
Image transform / day	quota %80	warn

/cost-review skill bağı.

Checklist

Antipattern

Cache-Control eksik (provider default).
Vary yok (auth/encoding leak).
Tüm cookie cache key'de.
Tüm query param cache key'de (utm_* tracker flood).
Purge'e güven (eventually consistent).
no-cache ≠ no-store karıştırma.
Origin shield kapalı.
Cache hit rate ölçüm yok.
Edge ↔ origin plaintext (Flexible mode).
Origin IP public (direct DDoS bypass).
Signed URL expire > 24h.
Image runtime resize her request.
Single CDN SaaS-critical.
WAF rules custom-only OWASP kapalı.
Edge compute > 50ms CPU.
TLS cert manuel renew.
Tag-based purge yok (wildcard hammer).
Static asset versioning yok (?v= query → cache key flood).
RUM yok.

Örnek Agent Davranışı

User: /cdn-review acme.com
Agent (platform-engineer + frontend-performance-auditor + security-reviewer):

1. Current state:
   - Cloudflare zone, free plan
   - Cache hit rate %52 ⚠ (target > %85 static)
   - Egress 8.2 TB / ay → $640
   - LCP p75 mobile 3.2s (target 2.5s)

2. Cache key audit: tüm cookie + tüm query param cache key'de
   (utm_source/utm_medium flood) → hit rate düşük.

3. TTL audit: 22 endpoint Cache-Control eksik; 8 endpoint `Cache-Control:
   no-cache` (yanlış; `no-store` istiyorlar).

4. Vary audit: 14 endpoint Vary yok; Authorization leak riski.

5. Origin shield kapalı; her POP origin'e vurar → N× egress.

6. Image optimization yok; JPEG full-res 7MB hero.

7. TLS Flexible mode (edge→origin HTTP). MITM riski.

8. Origin IP public; DDoS bypass mümkün.

9. RUM yok.

10. WAF managed rules kapalı; sadece custom 3 rule.

Findings:
- Critical: TLS Flexible (edge→origin plaintext)
- Critical: Origin IP public (no CDN allowlist)
- Critical: WAF managed rules disabled
- High: Cache hit rate %52 (cache key cookie/query flood)
- High: 14 endpoint Vary missing (auth leak)
- High: Origin shield disabled (N× egress + $$$)
- High: 22 endpoint Cache-Control missing
- Medium: Image not optimized (AVIF/WebP yok)
- Medium: Multi-CDN failover yok
- Medium: RUM yok
- Low: Static asset query versioning (?v=) cache flood

Action items: 11 issue + 4-week roadmap, projected cost -%45,
LCP improvement → < 2.5s.

Çıktı Formatı

# CDN Review: <site | service>

## Current state
- Provider + plan
- Cache hit rate
- Egress + requests
- LCP/INP (RUM if available)

## Cache key audit

## TTL matrix per path

## Origin shield + purge strategy

## Signed URL (varsa private content)

## Image / HLS / DASH

## Multi-CDN failover

## Edge compute (varsa)

## TLS + WAF + DDoS + Origin lock

## RUM + Cost dashboard

## Findings (Critical/High/Medium/Low)

## Action Items
| P | Aksiyon | Sahip | Bitiş |