EdgeControl lets you run lightweight JavaScript logic at the CDN edge to customize how requests and responses behave without changing your origin application.

You can use EdgeControl to modify headers, rewrite URLs, update query strings, return responses directly from the edge, and support use cases like access control, geo-routing, localization, and CORS handling.

How EdgeControl works

Every EdgeControl script uses a handler function:

function handler(event) {
  // Inspect or modify the event 
  return event; 
} 

The event represents the CDN request or response being processed. Depending on your use case, you can read or modify:

  • Headers

  • URL path

  • Query strings

  • Status codes

  • Message Body

You can also stop normal processing and return a response directly from the edge.


Modify headers

Use header changes to add, update, or remove request or response headers.

event.headers.set("x-custom", ["value"]); 
event.headers.append("x-custom", "another"); 
event.headers.delete("user-agent"); 

Common uses include

  • Adding security headers

  • Passing custom values to origin

  • Removing unnecessary headers

Modify the URL path or query string

Use path and query changes to rewrite requests before they continue through the CDN.

event.path = "/new-path"; 
event.query.set("key", "value"); 

Common uses include

  • URL rewrites

  • routing users to a different path

  • adding query parameters

Return a response directly from the edge

Use sendResponse when you want EdgeControl to stop normal processing and return a response immediately.

return event.deny(403);

Common uses include

  • Blocking unauthorized requests

  • Denying access to private paths

  • Responding to browser preflight requests

Redirect a client to a different URL

Use issueRedirect to send a 301, 302 or 303 redirect to the desired location.

return request.issueRedirect("/destination", {
    statusCode: 302,
    headers: {
      "x-has-redirected": ["true”]
    }
});

Rewrite Content in Message Body Response

Modify the body of the response before delivering to end user.

Common Uses Include:

  • Rewrite content such as Manifest/Playlists for live or linear streams

  • Rewrite API response or HTML content

  • Modify the Body of any text based content to customize end user results

See detailed example "Rewrite Content of Message Body" in Example 5 below.


Example 1: URL signature / token authentication

This example validates a signed URL before allowing the request to continue.

function handler(request) 
{ const secret = "my-secret-key"; 
const token = request.query.get("token"); 
const path = request.path; 
if (!token) { 
    return request.deny(401); 
 } 
// Example: token = base64(path + secret) 
const expected = btoa(path + secret); 
if (token !== expected) { 
    return request.deny(401);
 } 
return request; 
} 

Use this for:

  • Protecting premium content

  • Signed URL access

  • Basic token-based access control

Example 2: Geo-based routing

This example routes U.S. users to a /us/ path.

function handler(request) { 
  if (request.client_country === "US") { 
    if (!request.path.startsWith("/us/")) 
      { request.path = "/us" + request.path; 
      } 
   } 
return request; 
} 

Use this for:

  • Geo-routing Localization

  • Regional content delivery

Example 3: Block private paths

This example blocks requests to sensitive paths.

function handler(request) { 
  if (request.path.startsWith("/private/")) { 
    return request.deny(403); 
    } 
  return request;  
} 

Use this for:

  • Protecting internal APIs

  • Restricting admin paths

  • Enforcing security policies at the edge

Example 4: Handle CORS preflight requests

This example responds directly to browser OPTIONS requests.

function handler(request) { 
  if (request.method === "OPTIONS") { 
     return request.sendResponse(200, {
       headers: { 
         "access-control-allow-origin": "*", 
         "access-control-ads": "GET, POST, OPTIONS", 
         "access-control-allow-headers": "Content-Type", 
         "content-length": "0"
       }, 
       body: ""
     });
  } 
  return request; 
} 

Use this for:

  • Handling CORS preflight requests

  • Reducing unnecessary origin requests

  • Supporting browser-based applications

Example 5: Rewrite Content of Message Body

This example shows how to modify the message body, which includes rewriting Stream manifests or playlists, HTML pages, or any text body content.

The example below modifies a Streaming Manifest/Playlist to change the body of an .m3u8 file.

For this example, the hostname in the absolute paths within the manifest are modified to use the CDN hostname rather than the hostname contained the original manifest.

function handler(response) {
  const orig_headers = response.headers;
  response.headers.set('x-cfec-resp', 'true')

  const sourceHost = 'stream.company.com'
  const targetHost = 'cfhostcdn.cachefly.net'


  // Non-m3u8 — no changes
  const contentType = response.headers.get('content-type') || ''
  if (!contentType.includes('mpegurl') && !contentType.includes('x-mpegurl')) {
    return response
  }


  // m3u8 — rewrite host in manifest body to CacheFly CDN host
  response.body = response.body.replaceAll(sourceHost, targetHost)

  return response.sendResponse(200, {body: response.body.replaceAll(sourceHost, targetHost), headers: orig_headers})

  response.headers.delete('content-length')
  response.headers.delete('content-encoding')
  response.headers.delete('transfer-encoding')

  return response
}

Use this for:

  • Modifying/Rewriting Video Streaming manifests or playlists body

  • Rewriting content in HTML pages or API output

  • Rewriting any text based message body content


Before activating a script on production traffic:

  • Start with a simple script

  • Test on a development or test service

  • Confirm the script behaves as expected

  • Review which domains are attached to the service

  • Activate more broadly only after testing

Support

If you need help or something does not behave as expected, open a CacheFly support ticket or contact your CacheFly representative.

Include the service name, script version, example URL, expected behavior, and what actually happened.