EdgeControl lets you run lightweight JavaScript logic at the CDN edge to customize how requests and responses behave without changing your origin application.
You can use EdgeControl to modify headers, rewrite URLs, update query strings, return responses directly from the edge, and support use cases like access control, geo-routing, localization, and CORS handling.
How EdgeControl works
Every EdgeControl script uses a handler function:
function handler(event) {
// Inspect or modify the event
return event;
} The event represents the CDN request or response being processed. Depending on your use case, you can read or modify:
Headers
URL path
Query string
Status codes
You can also stop normal processing and return a response directly from the edge.
Modify headers
Use header changes to add, update, or remove request or response headers.
event.headers.set("x-custom", ["value"]);
event.headers.append("x-custom", "another");
event.headers.delete("user-agent"); Common uses include
Adding security headers
Passing custom values to origin
Removing unnecessary headers
Modify the URL path or query string
Use path and query changes to rewrite requests before they continue through the CDN.
event.path = "/new-path";
event.query.set("key", "value"); Common uses include
URL rewrites
routing users to a different path
adding query parameters
Return a response directly from the edge
Use sendResponse when you want EdgeControl to stop normal processing and return a response immediately.
return event.sendResponse(403, {}, "Forbidden"); Common uses include
Blocking unauthorized requests
Denying access to private paths
Responding to browser preflight requests
Example 1: URL signature / token authentication
This example validates a signed URL before allowing the request to continue.
function handler(request)
{ const secret = "my-secret-key";
const token = request.query.get("token");
const path = request.path;
if (!token) {
return request.sendResponse(403, {}, "Missing token");
}
// Example: token = base64(path + secret)
const expected = btoa(path + secret);
if (token !== expected) {
return request.sendResponse(403, {}, "Invalid token");
}
return request;
} Use this for:
Protecting premium content
Signed URL access
Basic token-based access control
Example 2: Geo-based routing
This example routes U.S. users to a /us/ path.
function handler(request) {
if (request.client_country === "US") {
if (!request.path.startsWith("/us/"))
{ request.path = "/us" + request.path;
}
}
return request;
} Use this for:
Geo-routing Localization
Regional content delivery
Example 3: Block private paths
This example blocks requests to sensitive paths.
function handler(request) {
if (request.path.startsWith("/private/")) {
return request.sendResponse(
403, {
"content-type": ["text/plain"] },
"Access denied"
);
}
return request;
} Use this for:
Protecting internal APIs
Restricting admin paths
Enforcing security policies at the edge
Example 4: Handle CORS preflight requests
This example responds directly to browser OPTIONS requests.
function handler(request) {
if (request.method === "OPTIONS") {
return request.sendResponse(
200,
{
"access-control-allow-origin": ["*"],
"access-control-ads": ["GET, POST, OPTIONS"],
"access-control-allow-headers": ["Content-Type"],
"content-length": ["0"]
},
""
);
}
return request;
} Use this for:
Handling CORS preflight requests
Reducing unnecessary origin requests
Supporting browser-based applications
Before activating a script on production traffic:
Start with a simple script
Test on a development or test service
Confirm the script behaves as expected
Review which domains are attached to the service
Activate more broadly only after testing
Support
If you need help or something does not behave as expected, open a CacheFly support ticket or contact your CacheFly representative.
Include the service name, script version, example URL, expected behavior, and what actually happened.