EdgeControl lets you run lightweight JavaScript logic at the CDN edge to customize how requests and responses behave without changing your origin application.
You can use EdgeControl to modify headers, rewrite URLs, update query strings, return responses directly from the edge, and support use cases like access control, geo-routing, localization, and CORS handling.
How EdgeControl works
Every EdgeControl script uses a handler function:
function handler(event) {
// Inspect or modify the event
return event;
} The event represents the CDN request or response being processed. Depending on your use case, you can read or modify:
Headers
URL path
Query strings
Status codes
Message Body
You can also stop normal processing and return a response directly from the edge.
Modify headers
Use header changes to add, update, or remove request or response headers.
event.headers.set("x-custom", ["value"]);
event.headers.append("x-custom", "another");
event.headers.delete("user-agent"); Common uses include
Adding security headers
Passing custom values to origin
Removing unnecessary headers
Modify the URL path or query string
Use path and query changes to rewrite requests before they continue through the CDN.
event.path = "/new-path";
event.query.set("key", "value"); Common uses include
URL rewrites
routing users to a different path
adding query parameters
Return a response directly from the edge
Use sendResponse when you want EdgeControl to stop normal processing and return a response immediately.
return event.deny(403);Common uses include
Blocking unauthorized requests
Denying access to private paths
Responding to browser preflight requests
Redirect a client to a different URL
Use issueRedirect to send a 301, 302 or 303 redirect to the desired location.
return request.issueRedirect("/destination", {
statusCode: 302,
headers: {
"x-has-redirected": ["true”]
}
});Rewrite Content in Message Body Response
Modify the body of the response before delivering to end user.
Common Uses Include:
Rewrite content such as Manifest/Playlists for live or linear streams
Rewrite API response or HTML content
Modify the Body of any text based content to customize end user results
See detailed example "Rewrite Content of Message Body" in Example 5 below.
Example 1: URL signature / token authentication
This example validates a signed URL before allowing the request to continue.
function handler(request)
{ const secret = "my-secret-key";
const token = request.query.get("token");
const path = request.path;
if (!token) {
return request.deny(401);
}
// Example: token = base64(path + secret)
const expected = btoa(path + secret);
if (token !== expected) {
return request.deny(401);
}
return request;
} Use this for:
Protecting premium content
Signed URL access
Basic token-based access control
Example 2: Geo-based routing
This example routes U.S. users to a /us/ path.
function handler(request) {
if (request.client_country === "US") {
if (!request.path.startsWith("/us/"))
{ request.path = "/us" + request.path;
}
}
return request;
} Use this for:
Geo-routing Localization
Regional content delivery
Example 3: Block private paths
This example blocks requests to sensitive paths.
function handler(request) {
if (request.path.startsWith("/private/")) {
return request.deny(403);
}
return request;
} Use this for:
Protecting internal APIs
Restricting admin paths
Enforcing security policies at the edge
Example 4: Handle CORS preflight requests
This example responds directly to browser OPTIONS requests.
function handler(request) {
if (request.method === "OPTIONS") {
return request.sendResponse(200, {
headers: {
"access-control-allow-origin": "*",
"access-control-ads": "GET, POST, OPTIONS",
"access-control-allow-headers": "Content-Type",
"content-length": "0"
},
body: ""
});
}
return request;
} Use this for:
Handling CORS preflight requests
Reducing unnecessary origin requests
Supporting browser-based applications
Example 5: Rewrite Content of Message Body
This example shows how to modify the message body, which includes rewriting Stream manifests or playlists, HTML pages, or any text body content.
The example below modifies a Streaming Manifest/Playlist to change the body of an .m3u8 file.
For this example, the hostname in the absolute paths within the manifest are modified to use the CDN hostname rather than the hostname contained the original manifest.
function handler(response) {
const orig_headers = response.headers;
response.headers.set('x-cfec-resp', 'true')
const sourceHost = 'stream.company.com'
const targetHost = 'cfhostcdn.cachefly.net'
// Non-m3u8 — no changes
const contentType = response.headers.get('content-type') || ''
if (!contentType.includes('mpegurl') && !contentType.includes('x-mpegurl')) {
return response
}
// m3u8 — rewrite host in manifest body to CacheFly CDN host
response.body = response.body.replaceAll(sourceHost, targetHost)
return response.sendResponse(200, {body: response.body.replaceAll(sourceHost, targetHost), headers: orig_headers})
response.headers.delete('content-length')
response.headers.delete('content-encoding')
response.headers.delete('transfer-encoding')
return response
}Use this for:
Modifying/Rewriting Video Streaming manifests or playlists body
Rewriting content in HTML pages or API output
Rewriting any text based message body content
Before activating a script on production traffic:
Start with a simple script
Test on a development or test service
Confirm the script behaves as expected
Review which domains are attached to the service
Activate more broadly only after testing
Support
If you need help or something does not behave as expected, open a CacheFly support ticket or contact your CacheFly representative.
Include the service name, script version, example URL, expected behavior, and what actually happened.
