What is a CDN?

When a browser in Tokyo requests a JavaScript bundle from a server in Virginia, the round-trip alone is roughly 150–200 milliseconds before the first byte arrives. Multiply that across the dozens of assets a modern SaaS app loads on its first page, and you have a sluggish app for anyone who is not sitting next to your origin. A CDN solves this by caching those assets in dozens or hundreds of edge locations worldwide. The Tokyo browser hits an edge server in Tokyo, gets a 5–15 ms response, and never bothers your origin at all.

For solo SaaS founders, the practical version of this story is simpler: if you deploy on Vercel, Netlify, or Cloudflare Pages, you already have a CDN. The question is rarely “should I add a CDN?” but “what is the CDN doing for me, and when do I need to think about it?”

Why a CDN matters

The benefits stack across four distinct categories, and most apps pick up all of them at once when they put a CDN in front of their origin.

• Latency. Edge locations cut request latency from hundreds of milliseconds to single digits for cached assets. Cloudflare advertises a network spanning 330+ cities; AWS CloudFront publishes 600+ points of presence. Wherever your users are, an edge node is usually within 50–100 ms.
• Bandwidth offload. A CDN absorbs the bulk of repetitive traffic before it ever reaches your origin. For a content-heavy SaaS, the cache hit ratio can routinely exceed 90%, meaning your origin sees a fraction of the actual request volume.
• DDoS protection and TLS termination. The edge sits in front of your origin and absorbs floods of traffic that would otherwise saturate your server. CDNs also handle TLS handshakes at the edge, offloading certificate management and CPU cost from your origin.
• Image optimization and modern formats. Cloudflare Images, Vercel's Image Optimization, Fastly Image Optimizer, and Akamai Image Manager rewrite images on the fly to AVIF, WebP, or smaller resolutions based on the requesting device. The savings on bandwidth and Largest Contentful Paint are usually larger than any other optimization a SaaS founder can apply.

How a CDN works under the hood

The architecture is conceptually straightforward but has a handful of moving parts that determine whether your CDN actually helps or quietly hurts you.

Edge caching

Each edge location maintains its own cache. When a request arrives, the edge checks for a fresh cached copy of the requested URL. If it finds one (a “cache hit”), it serves that copy directly. If not (a “cache miss”), it forwards the request to your origin, stores the response, and serves it. Subsequent requests for the same URL at that edge location are served from cache until the entry expires.

Origin shield

Without an origin shield, every edge location independently fetches from the origin on its first miss — a lot of duplicate origin hits across hundreds of locations. An origin shield is an intermediate cache layer that all edges consult before going to the origin. Cloudflare calls it Tiered Cache; CloudFront calls it Origin Shield; Fastly bakes it in via shielding. The Cloudflare documentation on Tiered Cache walks through the topology in detail.

Cache keys

The cache key is the unique identifier under which a response is stored. By default it is the request URL plus a few selected headers. If you cache by URL alone but the response varies by Accept-Language, you will serve French content to English users. If you cache by full URL including query strings but your tracking parameters create a unique URL on every page load, your cache hit ratio drops to zero. Most mistakes in CDN configuration come from a misaligned cache key.

TTL and purge

Each cache entry has a time-to-live (TTL) after which it is considered stale and revalidated on the next request. TTLs are set by the origin via response headers, overridden by CDN configuration, or both. When you ship a new asset and need the old one removed before its TTL expires, you call the CDN's purge API to invalidate specific URLs. Purge mechanics vary — Cloudflare offers per-URL and tag-based purge; Fastly is famous for sub-second purge across the entire network.

The major CDN providers in 2026

Provider	Best for	Notable features
Cloudflare	Default for solo SaaS	Largest network footprint. Free tier covers DDoS protection, TLS, and basic caching at $0. Workers run code at the edge.
Fastly	Developer-focused teams	VCL config language for fine-grained behavior. Sub-second instant purge. Used by GitHub, Stripe, and Shopify.
AWS CloudFront	Apps already on AWS	Tight integration with S3, Lambda@Edge, and CloudFront Functions. Pay-as-you-go with no monthly minimum.
Akamai	Enterprise / regulated industries	The original CDN. Largest enterprise-grade footprint and most complex configuration. Rarely the right choice for a solo founder.
Vercel Edge Network	Next.js apps	A managed CDN built on top of Cloudflare and AWS. Zero configuration; tightly integrated with Next.js cache primitives.

For most solo SaaS founders, the choice is made by the deployment platform — picking a deployment target is, indirectly, picking a CDN. Our breakdown of Vercel vs Cloudflare Pages walks through how the trade-offs play out in practice.

Static vs dynamic content

Static assets — images, fonts, JavaScript bundles, CSS files — cache cleanly. They have a stable URL, do not vary by user, and can be cached for months at the edge with a long TTL. Bundlers like Vite, Webpack, and Turbopack hash the file name on every build, so you can ship updates without manual purges; the new build produces a new URL, and the old URL stays cached harmlessly.

Dynamic content — HTML pages with personalized data, API responses, server-rendered routes — is harder. Two strategies dominate.

Stale-while-revalidate (SWR) is an HTTP caching directive (RFC 5861) that tells the CDN to serve a stale cached copy immediately while asynchronously revalidating in the background. The user gets a fast response; the next user gets a fresh one. Vercel exposes this directly via the Cache-Control response header and the revalidate Next.js option.

Edge config and on-demand revalidation use a key-value store at the edge to handle small pieces of dynamic data without round-tripping to the origin on every request. Vercel Edge Config, Cloudflare KV, and Fastly Edge Dictionaries all serve this role. The pattern: store feature flags, config, or small lookups at the edge; let the rest of the page render from a cached HTML shell.

Cache headers, in plain language

The HTTP Cache-Control header is how your origin tells the CDN how to cache a response. The relevant directives:

• public — the response can be cached by any cache, including shared caches like a CDN. Use for assets that are not user-specific.
• private — the response can be cached only by the user's own browser, never by a shared cache. Use for personalized HTML and authenticated API responses.
• max-age=N — the response is fresh for N seconds in any cache.
• s-maxage=N — same as max-age, but only applies to shared caches (the CDN). Lets you have a long edge TTL and a short browser TTL.
• immutable — the response will never change. Browsers skip revalidation entirely. Use on hashed asset filenames.

The ETag header is a content fingerprint; the CDN sends it back on the next request, and the origin returns a quick 304 Not Modified if nothing changed. The Vary header tells the cache which request headers should be part of the cache key — Vary: Accept-Encoding ensures gzipped and uncompressed responses are stored separately. The MDN reference on Cache-Control is the canonical guide.

Edge functions vs CDN: a blurring line

The original CDN idea was “cache static stuff at the edge.” The 2026 reality is that the edge runs your application code, too. Cloudflare Workers, Vercel Edge Functions, Fastly Compute, and AWS Lambda@Edge all let you execute serverless functions in the same physical locations where the cache lives. The benefits: cold-start times measured in single-digit milliseconds, a request never hits a centralized region, and you can rewrite responses or do auth checks at the edge.

Edge functions blur the line between “CDN” and “application platform.” A Vercel deployment routes a request first to an edge cache, then to an Edge Function if the route is configured for it, then potentially to a serverless function in a centralized region for heavier work. The CDN is no longer just a cache; it is the first layer of compute. Our deploy guide for Next.js on Vercel covers how to think about this in practice.

Image optimization at the edge

Images are the largest category of bytes most SaaS apps serve, and modern formats (AVIF, WebP) cut the byte count by 30–70% compared to JPEG/PNG. Image optimization at the edge means: the CDN receives the image, transcodes it to the best format the requesting browser supports, resizes to the requested dimensions, and caches the result. The next user with the same combination gets it from cache; the next user with a different device profile gets a freshly-transcoded version.

The major options:

• Cloudflare Images — flat-rate billing per 100,000 images stored, plus delivery costs. Includes signed URLs and resize-on-demand.
• Vercel Image Optimization — metered by source image and transformations. Integrated with the Next.js <Image> component; the workflow is essentially zero-config for Next.js apps.
• Fastly Image Optimizer — per-request transform pricing. The most flexible URL-based query parameter API.
• Self-hosted — libraries like sharp can do the same work on a server, but you give up the edge cache and pay origin CPU on every miss.

Solo SaaS reality: you probably already have a CDN

If your stack is Next.js on Vercel, Remix on Netlify, or any framework on Cloudflare Pages, you have a fully configured CDN today. You did not pay extra for it; it ships with the platform. The cache headers Next.js writes by default are reasonable for most apps. The image component already routes through edge optimization. You did not configure an edge shield, but the platform did.

This means the question for most solo founders is not “which CDN should I buy?” The default is fine. The question is “am I doing anything that quietly bypasses my CDN?” That is where the real wins and the real bugs live.

When you do need to think about your CDN

A handful of situations move CDN configuration from “the platform handles it” to “you need to make decisions.”

• High-traffic content sites. If you run a blog, documentation site, or marketing pages with significant traffic, optimizing your cache hit ratio directly affects your origin bill. The difference between 60% and 95% cache hit ratio is the difference between needing one origin server and needing ten.
• Video or large-file delivery. Bandwidth costs at the edge dominate. Cloudflare Stream and Mux add purpose-built video delivery on top of a CDN; raw video served from S3 + CloudFront is workable but expensive.
• Global B2C audience. If half your users are outside North America and Europe, the regional gaps in a default CDN footprint become visible. Cloudflare and Akamai have the deepest networks in Asia, Africa, and South America.
• Paid image optimization. If your images are user-generated, you cannot rely on hashed build-time bundling. Image optimization services pay for themselves quickly once you serve more than a few gigabytes per month of unoptimized images.
• Compliance or geographic restrictions. Some industries require specific data residency or geo-blocking rules. CDN configuration is where those rules live.

Common CDN gotchas

Things that will quietly break in production if you do not pay attention:

• Caching authenticated content. Never cache responses containing personal data on a shared cache. A wrong Cache-Control: public on a logged-in dashboard route is an immediate cross-user data leak. Always use private or no-store on user-specific content.
• Cache stampede. When a popular cached entry expires, hundreds of edge locations request the new version simultaneously, hammering your origin. Stale-while-revalidate and origin shielding both mitigate this; deploying without either is a recipe for a thundering-herd outage on TTL boundaries.
• Broken purges. A purge that hits the edge but misses the browser cache means users see the old version after you ship a fix. Use cache-busting URL hashes for assets and short TTLs (or no-cache) on HTML responses.
• CDN-vs-origin response divergence. If the CDN compresses, rewrites, or modifies headers in ways your origin does not, you will see bugs that only happen in production behind the CDN, never in local dev. Test against the CDN URL, not just the origin.
• Webhooks and idempotency. Webhook endpoints should never be cached. A POST to /webhook/stripe behind a cache that occasionally serves a stale 200 OK is an outage waiting to happen. See our notes on webhook security best practices for the production checklist.
• Hidden cost surprises. Egress bandwidth from the CDN is what you pay for. Most platforms include generous bandwidth in flat-rate plans, but going over the included quota at scale can surprise you. Our Vercel pricing guide and Vercel free tier limits breakdown cover the specific numbers for the most common solo SaaS deployment.

The takeaway

A CDN is the layer of cached, geographically distributed servers that turn a single-region origin into a globally fast app. For solo SaaS founders in 2026, the more accurate framing is: your deployment platform already runs a CDN for you, and your job is to know what it is doing — not to operate it from scratch. Understand cache headers, never cache authenticated content, and treat your CDN as a first-class part of your stack rather than an invisible accelerator. Once you do, the rest of the architecture — edge functions, image optimization, dynamic caching strategies — falls into place naturally.