Making decisions based on HTTP headers

1. Dynamic routing: changing the backend based on the header

What if you could direct your users to different servers without them noticing and without changing the URL? This is the magic of changing the backend based on headers.

A very common use case is geo-routing. This is incredibly useful, for example, if you run an international newspaper and want to ensure a user in Miami doesn’t have to cross the Atlantic to fetch content from a server in Madrid.

With just a few lines of VCL, you can ensure that American users communicate with an American server, cutting load times (TTFB – Time to First Byte) by more than half. At Transparent Edge, this can be implemented using the geo_country_code header:

sub vcl_recv{ # Default backend set req.backend_hint = c82_tcdnes.backend(); # Changing backend for Spanish users if (req.http.geo_country_code ~ "ES") { set req.backend_hint = c82_tcdnes.backend(); } # Changing backend for American users if (req.http.geo_country_code ~ "US") { set req.backend_hint = c82_tcdnus.backend(); } }

Other uses for dynamic routing

Canary deployments and beta testing: You can direct your employees or a group of beta testers—identified by a header such as X-Beta-User: true—to a server running the new version of your website, while the rest of the world continues to see the stable version.

Risk-free migrations: If you are moving your website from a legacy server to a new one, you can progressively redirect traffic based on specific headers to ensure everything is functioning correctly before the final cutover.

Device segmentation: You can route requests coming from a mobile app (identified by the User-Agent) to an API-optimized backend, while directing desktop traffic to one optimized for web rendering.

2. Advanced Security: Allowing traffic only with a specific header

Sometimes, you don’t want your content to be accessible to everyone, or you want to ensure that only specific applications can consume your resources. In cybersecurity terms, this is what we call edge token validation.

By implementing an auth-tcdn header check, you can block unauthorized requests directly at the edge. This not only protects your data but also saves bandwidth and CPU on your servers, as malicious traffic never even reaches them.

sub vcl_recv{ if (req.http.auth-tcdn != "e37be3f5e06e263445654c0d6ba0e123") { call deny_request; } }

Common use cases for this security layer

Origin Shielding: You can configure your infrastructure to only accept requests coming directly from the CDN. By adding a secret header between the CDN and your origin, you block any attack attempt that tries to “bypass” the CDN’s protection.

Exclusive Access: If you offer an API, you can restrict traffic only to clients that send a specific authentication header. If the header is missing or incorrect, Transparent Edge blocks the request at the edge, before it can consume any of your server’s resources.

Hotlinking Prevention: Prevent other websites from using your images or assets by verifying the Referer header at the edge.

Mastering HTTP headers is the first step toward optimizing your CDN usage. Whether you are testing new features risk-free or shielding access to your data, the flexibility offered by languages like VCL at Transparent Edge is your greatest ally.

Do you need to implement a custom backend logic? Our technical team can help you design the perfect VCL rule for your specific use case.