Skill

cdn-engineering

CDN (CloudFront/Cloudflare/Fastly) disipline — cache key composition (URL + Vary + cookie/query whitelist), TTL strategy (s-maxage CDN + max-age browser + stale-while-revalidate + stale-if-error), origin shield, purge (single/wildcard/tag/all), signed URL (CloudFront/Cloudflare/Fastly token), image optimization (AVIF/WebP edge transform), HLS/DASH streaming, multi-CDN failover (DNS health check + RUM routing), edge compute (Workers/Lambda@Edge/Compute@Edge), TLS termination Full(strict), WAF + DDoS, RUM, cost tracking.

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/argos:cdn-engineering

User invocable

Model invocable

Inline context

Default effort

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

`agents/shared/severity-rubric.md` ve `agents/shared/escalation-matrix.md`

SKILL.md

443 lines · ~3.1k tokens

Stats

LanguageHTML

Stars0

MaintenanceGood

Last CommitMay 11, 2026

Actions

View Source View Plugin View on GitHub View README

Stats

Actions

CDN Engineering

Ortak Doktrin

agents/shared/severity-rubric.md ve agents/shared/escalation-matrix.md default-load sayılır (agents/coordination.md §11). Bu skill'in çıktısı Critical / High / Medium / Low + kanıt formatında olmak zorunda — spekülatif Critical yasak. Sahiplik dışı bulgu ilgili agent'a delege; karar yetkisi eşiği aşılırsa kullanıcı onayı zorunlu.

Felsefe

Cache key explicit — default-cached yanıltıcı.
TTL doğru ölçü — s-maxage ≠ max-age.
Stale-while-revalidate edge'de altın standart.
Purge eventually consistent — versioned URL > purge.
Origin shield — origin'i N POP'tan değil 1'den vur.
Multi-CDN failover SaaS-critical.
WAF + DDoS edge'de.

Ne Zaman Kullanılır

Yeni site / API CDN onboarding
Cache hit rate düşük (< %70)
Origin overwhelmed (egress spike, latency)
LCP regresyon (CDN miss veya konfig kötü)
Multi-CDN failover kurulum (vendor outage incident sonrası)
Image optimization (mobile data savings)
HLS/DASH video streaming
Signed URL private content
Edge compute (A/B at edge, auth)
Cost optimization (egress, requests)
WAF + DDoS audit
TLS cert lifecycle

Workflow

1) Discovery — current state

# Cache hit rate
curl -I https://acme.com/index.html | grep -i "cf-cache-status\|x-cache\|age"
# CloudFront: X-Cache: Hit from cloudfront
# Cloudflare: cf-cache-status: HIT
# Fastly: x-cache: HIT, HIT

# TTL headers
curl -I https://acme.com/api/products | grep -iE "cache-control|vary|surrogate"

CDN dashboard:

Hit rate per zone / path
Bandwidth + request count
p50/p95 RTT per POP
Error rate

Hedef: > %85 hit rate static; > %60 dynamic.

2) Cache key audit

# Cloudflare cache rule
cache_key:
  custom_key:
    query_string: { include: [page, size, sort] }     # tracker (utm_*) exclude
    header: { include: [Accept-Encoding, Accept-Language] }
    cookie: { include: [session_id, locale] }
    host: { resolved: true }
  ignore_query_strings_order: true

CloudFront equivalent: Cache Policy + Origin Request Policy.

3) TTL matrix

Site başına:

Path	Browser	CDN	SWR	Notes
`/_/assets/*`	1y	1y	—	immutable versioned
`/index.html`	5 sn	5 dk	2 dk	personalization yok
`/api/products`	60 sn	5 dk	2 dk	catalog
`/api/orders`	0	0	—	no-store private
`/images/*`	1d	1y	10 dk	content-hash URL
`/sitemap.xml`	10 dk	1 saat	10 dk

Origin'den:

Cache-Control: public, max-age=60, s-maxage=300,
               stale-while-revalidate=120, stale-if-error=86400
Vary: Accept-Encoding, Accept-Language
Surrogate-Key: product-catalog homepage

4) Origin shield enable

CloudFront:

{
  "OriginShield": {
    "Enabled": true,
    "OriginShieldRegion": "eu-west-1"
  }
}

Cloudflare: Argo Tiered Cache settings. Fastly: Shielding per service config.

5) Purge strategy

Surrogate-Key header origin'den:

Cache-Control: public, max-age=3600
Surrogate-Key: user-123 product-456 catalog-page

Tag-based purge:

# Cloudflare tag purge
curl -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE/purge_cache" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{"tags": ["product-456", "catalog-page"]}'

# Fastly surrogate key
curl -X POST "https://api.fastly.com/service/$SVC/purge/product-456" \
  -H "Fastly-Key: $TOKEN"

CloudFront tag purge yok — invalidation path-based; wildcard:

aws cloudfront create-invalidation \
  --distribution-id E123 --paths "/products/456" "/catalog/*"

Critical update → versioned URL (cache-bust) > purge.

6) Signed URL

# CloudFront
from botocore.signers import CloudFrontSigner
import datetime

def signed_url(resource: str, expire_seconds: int = 3600) -> str:
    expire = datetime.datetime.utcnow() + datetime.timedelta(seconds=expire_seconds)
    signer = CloudFrontSigner(KEY_PAIR_ID, rsa_sign_func)
    return signer.generate_presigned_url(resource, date_less_than=expire)

// Cloudflare Workers signed URL
const SECRET = env.SIGN_SECRET;
async function sign(url, expireUnix) {
  const data = `${url}${expireUnix}`;
  const key = await crypto.subtle.importKey(
    'raw', new TextEncoder().encode(SECRET),
    { name: 'HMAC', hash: 'SHA-256' }, false, ['sign'],
  );
  const sig = await crypto.subtle.sign('HMAC', key, new TextEncoder().encode(data));
  return `${url}?expires=${expireUnix}&signature=${btoa(String.fromCharCode(...new Uint8Array(sig)))}`;
}

Disiplin: expire ≤ 24h; KMS key rotation 90g; IP allowlist (opsiyonel).

7) Image optimization

<picture>
  <source type="image/avif" srcset="
    /image/cat.jpg?w=400&format=avif 1x,
    /image/cat.jpg?w=800&format=avif 2x
  ">
  <source type="image/webp" srcset="
    /image/cat.jpg?w=400&format=webp 1x,
    /image/cat.jpg?w=800&format=webp 2x
  ">
  <img src="/image/cat.jpg?w=400" loading="lazy" alt="cat" width="400" height="300">
</picture>

Edge transform:

Cloudflare Image Resizing (/cdn-cgi/image/width=400,format=auto/...)
Fastly IO
Cloudinary / Imgix (SaaS)
AWS Serverless Image Handler (Lambda@Edge)

Origin: single high-res; edge transform + cache.

8) HLS/DASH

# origin
location /hls/ {
  add_header Cache-Control "public, max-age=5, s-maxage=10";   # manifest
}
location /hls/segments/ {
  add_header Cache-Control "public, max-age=31536000, immutable";  # segment
}

Low-latency HLS (LL-HLS): chunked transfer; segment 2-6s; sub-2s glass-to-glass.

9) Multi-CDN failover

DNS-level (NS1 / Route 53 / Cedexis):

# NS1 weighted + health
records:
  - { answer: cf.acme.com, weight: 70, health_check: cf-health }
  - { answer: fastly.acme.com, weight: 30, health_check: fastly-health }
health_check:
  cf-health: { type: http, url: https://cf.acme.com/_health, interval: 30s }

RUM-based routing: client-side beacon → DNS provider hangi POP en hızlı.

10) Edge compute örnek

// Cloudflare Worker — A/B test at edge
export default {
  async fetch(request, env) {
    const url = new URL(request.url);
    if (url.pathname === '/checkout') {
      // Consistent assignment per user
      const cookie = request.headers.get('cookie') || '';
      let variant = cookie.match(/exp=([ab])/)?.[1];
      if (!variant) {
        variant = Math.random() < 0.5 ? 'a' : 'b';
      }
      url.pathname = variant === 'b' ? '/checkout-new' : '/checkout';
      const response = await fetch(url, request);
      const newResp = new Response(response.body, response);
      newResp.headers.append('Set-Cookie', `exp=${variant}; Path=/; Max-Age=2592000`);
      return newResp;
    }
    return fetch(request);
  },
};

/experiment-design skill bağı.

11) TLS hardening

[client] --TLS 1.3--> [CDN] --TLS 1.2+--> [origin]
                          Full (strict)

Cloudflare SSL mode: Full (strict) zorunlu; Flexible yasak.

Origin cert: Cloudflare Origin CA (15 yıl, origin-only) veya Let's Encrypt ile DNS-01 validation.

12) WAF + DDoS + Origin lock

# CloudFront — origin custom header (CDN-only allow)
custom_header:
  name: X-CDN-Auth
  value: $SECRET_TOKEN

# origin (nginx)
if ($http_x_cdn_auth != "$SECRET_TOKEN") {
  return 403;
}

Cloudflare prefix list IP allowlist (origin SG):

curl https://api.cloudflare.com/client/v4/ips/v4
# nginx allow + deny all

WAF managed rules: OWASP CRS, Bot Management.

13) RUM kurulum

<script src="https://cdnjs.cloudflare.com/ajax/libs/web-vitals/4/web-vitals.iife.js"></script>
<script>
window.webVitals.onLCP(({value}) => beacon('lcp', value));
window.webVitals.onINP(({value}) => beacon('inp', value));
window.webVitals.onCLS(({value}) => beacon('cls', value));
</script>

Beacon → CDN edge logger (Cloudflare Analytics, Datadog RUM).

14) Cost dashboard

Metric	Threshold	Alert
Cache hit rate	< %70	warn; < %50 page
Bandwidth / 24h	baseline +%20	warn
Egress USD / day	baseline +%30	page
Image transform / day	quota %80	warn

/cost-review skill bağı.

Checklist

Antipattern

Cache-Control eksik (provider default).
Vary yok (auth/encoding leak).
Tüm cookie cache key'de.
Tüm query param cache key'de (utm_* tracker flood).
Purge'e güven (eventually consistent).
no-cache ≠ no-store karıştırma.
Origin shield kapalı.
Cache hit rate ölçüm yok.
Edge ↔ origin plaintext (Flexible mode).
Origin IP public (direct DDoS bypass).
Signed URL expire > 24h.
Image runtime resize her request.
Single CDN SaaS-critical.
WAF rules custom-only OWASP kapalı.
Edge compute > 50ms CPU.
TLS cert manuel renew.
Tag-based purge yok (wildcard hammer).
Static asset versioning yok (?v= query → cache key flood).
RUM yok.

Örnek Agent Davranışı

User: /cdn-review acme.com
Agent (platform-engineer + frontend-performance-auditor + security-reviewer):

1. Current state:
   - Cloudflare zone, free plan
   - Cache hit rate %52 ⚠ (target > %85 static)
   - Egress 8.2 TB / ay → $640
   - LCP p75 mobile 3.2s (target 2.5s)

2. Cache key audit: tüm cookie + tüm query param cache key'de
   (utm_source/utm_medium flood) → hit rate düşük.

3. TTL audit: 22 endpoint Cache-Control eksik; 8 endpoint `Cache-Control:
   no-cache` (yanlış; `no-store` istiyorlar).

4. Vary audit: 14 endpoint Vary yok; Authorization leak riski.

5. Origin shield kapalı; her POP origin'e vurar → N× egress.

6. Image optimization yok; JPEG full-res 7MB hero.

7. TLS Flexible mode (edge→origin HTTP). MITM riski.

8. Origin IP public; DDoS bypass mümkün.

9. RUM yok.

10. WAF managed rules kapalı; sadece custom 3 rule.

Findings:
- Critical: TLS Flexible (edge→origin plaintext)
- Critical: Origin IP public (no CDN allowlist)
- Critical: WAF managed rules disabled
- High: Cache hit rate %52 (cache key cookie/query flood)
- High: 14 endpoint Vary missing (auth leak)
- High: Origin shield disabled (N× egress + $$$)
- High: 22 endpoint Cache-Control missing
- Medium: Image not optimized (AVIF/WebP yok)
- Medium: Multi-CDN failover yok
- Medium: RUM yok
- Low: Static asset query versioning (?v=) cache flood

Action items: 11 issue + 4-week roadmap, projected cost -%45,
LCP improvement → < 2.5s.

Çıktı Formatı

# CDN Review: <site | service>

## Current state
- Provider + plan
- Cache hit rate
- Egress + requests
- LCP/INP (RUM if available)

## Cache key audit

## TTL matrix per path

## Origin shield + purge strategy

## Signed URL (varsa private content)

## Image / HLS / DASH

## Multi-CDN failover

## Edge compute (varsa)

## TLS + WAF + DDoS + Origin lock

## RUM + Cost dashboard

## Findings (Critical/High/Medium/Low)

## Action Items
| P | Aksiyon | Sahip | Bitiş |

cdn-engineering

Invocation

Context Preview

SKILL.md

cdn-engineering

Invocation

Context Preview

SKILL.md

CDN Engineering

Ortak Doktrin

Felsefe

Ne Zaman Kullanılır

Workflow

1) Discovery — current state

2) Cache key audit

3) TTL matrix

4) Origin shield enable

5) Purge strategy

6) Signed URL

7) Image optimization

8) HLS/DASH

9) Multi-CDN failover

10) Edge compute örnek

11) TLS hardening

12) WAF + DDoS + Origin lock

13) RUM kurulum

14) Cost dashboard

Checklist

Antipattern

Örnek Agent Davranışı

Çıktı Formatı

Similar Skills

CDN Engineering

Ortak Doktrin

Felsefe

Ne Zaman Kullanılır

Workflow

1) Discovery — current state

2) Cache key audit

3) TTL matrix

4) Origin shield enable

5) Purge strategy

6) Signed URL

7) Image optimization

8) HLS/DASH

9) Multi-CDN failover

10) Edge compute örnek

11) TLS hardening

12) WAF + DDoS + Origin lock

13) RUM kurulum

14) Cost dashboard

Checklist

Antipattern

Örnek Agent Davranışı

Çıktı Formatı

Similar Skills