Code examples in VCL

Use surrogate keys to link all objects under each path prefix, allowing wildcard purging of all URLs that share a common prefix.

Create an API endpoint for fetching geolocation data for the requesting browser, implemented 100% at the edge. The response should show your current approximate location, but no requests to any origin servers.

Add geolocation data about the client browser as extra headers in any requests from Fastly to your origin.

Park request, make a different request first, use the response to annotate the real origin request (or make decisions about how to route it).

Use a custom Paywall header to trigger preflight requests to authenticate every article view with a backend paywall service.

Detect requests that contain submitted passwords and use a service to determine whether the password has leaked before allowing the request to proceed to origin (data from haveibeenpwned).

Generate relative time datelines at the Edge instead of in the browser or at origin. Better caching, faster rendering, fewer reflows.

Detect requests that don't include a www. prefix, and redirect to the equivalent path on a hostname that starts with www., usually to make sure there's only one canonical location for your content.

Prioritize human traffic over search crawlers by serving stale content to crawlers.

Normally OPTIONS requests aren't cacheable. Allow caching of OPTIONS by converting the request to a GET and back to OPTIONS if it's a cache miss.

Set TTLs at the edge based on the type of resource. Better done at origin, but this can be a great 'quick fix' or a solution if you don't control the origin.

Set TTLs at the edge based on looking up a path prefix in a dictionary.

Stream responses to the browser while still receiving data from the origin and also saving it to cache. Great for spreading out server-sent-events streams to millions of users from a single source stream.

Collect and aggregate log data submitted from browsers directly into S3 or another log store without having to handle the traffic at your origin.

Send request to different origin servers based on the URL path.

Detect specified response statuses from backends and instead serve a precomposed error page or error content generated at the edge.

Browsers send OPTIONS requests before performing cross-origin POSTs. You can answer these requests directly from the edge.

Store username/password list in a dictionary, authorize user at the edge, reject requests that don't have correct credentials.

Serve full text of robots.txt as a synthetic response to avoid requests hitting your origin.

Deal with all potential scenarios for using stale content to satisfy requests when origin is unhealthy or misbehaving.

Load balance requests randomly across multiple backends, dropping them automatically if they become unhealthy.

Map requests to backends consistently, which can be useful to improve your internal cache and replication efficiency.

Try backends in turn until one is healthy (also known as an 'active-standby' strategy).

Map requests to backends based on user ID (a.k.a., "sticky sessions").

Emit logging data to your chosen log endpoint from any VCL stage, not just vcl_log.

Serve binary objects, such as images, directly from edge configuration.

Make URLs expire after a configurable period.

Use Fastly Image Optimizer to transform and serve images at the edge, closer to your users.

Typically requests are flagged for IO before they are sent to a backend, but using a restart in VCL, you can inspect a response before deciding whether to optimize it.

Purge your edge cache automatically at a certain time. This may cause an inrush of traffic to origin at the scheduled time and should be used with care.

Go from an F to an A grade on securityheaders.io by adding security policy headers to your responses at the edge.

Fastly can easily read and write HTTP headers at multiple stages of the request/response cycle.

Receive a request for one path but request a different path from origin, without a redirect.

Add, remove, and sort querystring parameters.

Change PUT, DELETE, OPTIONS and others to POST, or vice versa, to help integrate incompatible client and server apps.

Compress HTML, SVG, and other compressible formats at the edge and store and serve both compressed and uncompressed versions.

Quickly fetch the user's public IP from an API endpoint on your own domain, with no origin.

Read individual cookies, set new cookies in response.

Rewrite headers to keep only keys that you want to allow, similar to `querystring.filter_except` but for headers rather than querystrings.

Treat URLs with and without suffixed slashes as equivalent, or redirect URLs with slashes to the version without.

By default, Fastly does not cache responses to POST requests. But you can enable this if you wish.

Block a list of IP addresses from accessing your service and include an expiry time.

Block a list of IP address ranges from accessing your service.

Intercept suspicious traffic and display a CAPTCHA challenge. If the user passes, allow the request to go to the origin server.

Improve cache performance by normalizing requests. Filter and reorder query params, convert to lowercase, filter headers, and more.

Use a public GCS bucket as a backend for your Fastly service.

Use AWS compat mode to make authenticated requests to your GCS bucket.

Use AWS authenticated requests (signature version 4) to protect communication between your Fastly service and AWS.

Use Microsoft Azure authenticated requests to protect communication between your Fastly service and Azure.

Use authenticated requests to protect communication between your Fastly service and Alibaba's Object Storage Service.

Build raw JSON strings matching your BigQuery table schema to send log data to BigQuery.

To allow caching of POST requests, consider rewriting them as GET requests at the edge.

PCI-compliant caching requires caching only in volatile storage, which you can enable with beresp.pci in VCL.

HIPAA-compliant caching requires caching only in volatile storage, which you can enable with `beresp.hipaa` in VCL.

Cached a large number of objects for too long and want to update and shorten their TTLs.

Send a copy of your traffic to a test origin before returning a response from production.

Detect and reject requests from third-party websites that attempt to embed your images on their pages.

Ensure resources are not cached on the front end, while allowing caching within Fastly.

Use Fastly's support for ESI to combine multiple origin-hosted objects into a single response at the edge.

Remove headers added by backends that you don't want to emit to the browser, like amz- or goog- headers.

Redirect any requests that come into a VCL service on insecure HTTP, to the equivalent TLS endpoint (the Compute platform does this automatically).

Protect clients from redirects by chasing them internally at the edge, and then return the eventual non-redirect response.

If a backend returns a 429, cache it for the requesting IP but continue to allow other clients to use origin.

Return different objects based on the presence of a cookie.

Use the new Sec-Fetch-Dest header or URL patterns to identify assets that should not allow querystrings to be part of the cache key.

Group countries to cache content by custom regions or reject requests from some regions entirely.

Bucket users into small grid squares to allow for hyper-local content caching (e.g., "stores near you", "local offers").

Due to ITP 2.1 restrictions, cookies set in JavaScript may be limited to a 7-day TTL. Set your Google Analytics cookie on the edge to avoid this.

If primary backend fails, retry with a different backend without caching the failure or reducing cache efficiency.

If primary backend fails, requests with IO enabled require some special handling.

Fastly offers a myriad of different variables that you can log. See and test a large collection here.

Avoid a huge inrush of traffic to origin caused by gradually applying changes that affect the cache key, like segmented caching, over hours or days.

Use custom, predefined classnames like large, medium, small, teaser, thumb, or article to control Fastly Image Optimizer and optionally prevent end-user access to native properties like 'width'.

Shielding directs requests through two Fastly POPs instead of one, improving cache hit ratio and reducing traffic to your origin.

Combine multiple source images into a single image and then optimize and serve the result.

Strip the last octet or compute a hash of client IP address for anonymization.

Identify which type of IP address was used by the client connecting to your Fastly service.

Convert a password sent by the client in the querystring into a Authorization header to your origin server.

GraphQL query requests are POSTs, but responses to POST typically can't be cached. Convert it to a querystring on a GET request to allow Fastly to cache GraphQL (or any HTTP POST) request.

Unknown data in URL paths can result in invalid URLs, but base64url is designed to be URL-safe.

Block or identify syntactically invalid requests at the edge by using a hash function of your choice.

Decode the popular JWT format to verify user session tokens before forwarding trusted authentication data to your origin.

Serve different responses to separate user cohorts.

Use a dictionary of URL mappings to serve your redirects at lightning speed.

A totally stateless solution to hold back new users for a minimum waiting period to smooth out spikes in traffic.

Divide the world into time bands of custom size and forward time zone data to your origin server.

Format dates and times in a variety of ways.

Match URL prefixes and make use of configurable response status and querystring preservation.

Adjust the maximum TCP socket pacing for connections at peak times of day in busy regions.

Validate your CenturyLink tokens for access to video stream playlists.

Force a response to be delivered very slowly to reduce the rate at which an attacker can send requests.

Use custom edge code to implement support for the proprietary Edge-Control cache directive.

Rate counters are normally used for detecting high volume DoS-style attacks, but you can also use them to measure lower rates, to ensure that navigation between pages is happening at human speed.

Use ratecounters and penalty boxes to stop high-volume automated attacks against your website.

Create an HTTP API for real time backend health status

Check for known bad bots and crawlers and deny traffic.

Check for a subdomain and rewrite the URL path.

Check for specific URL extensions and deny access with a 403.

Check for a country code on an incoming request, and if it's present, deny access with a 403.

If edge and shield POPs are purged in the wrong order, stale content may get re-cached. You can prevent that.

Surrogate key purges are fast and flexible and can be used in place of single URL purge and purge-all.

If you have multiple hosting locations, Fastly can route traffic to the closest one.

Disable edge caching and skip the Fastly readthrough cache for every request, ensuring nothing is cached at the edge.