Running Front-Commerce behind a CDN
How to put a CDN (e.g. Cloudflare) in front of Front-Commerce while respecting its HTTP cache contract, covering what to cache, what to never cache, and which CDN optimizations to disable.
You can place any CDN in front of Front-Commerce, as long as the CDN honors the HTTP cache headers that Front-Commerce already sets on every response. This page describes that contract, lists what is safe to cache and what must never be cached, and points out the CDN settings that break server-side rendering if left enabled. A dedicated Cloudflare checklist is included.
This guide targets teams that operate their own CDN in front of Front-Commerce. If your project runs on Front-Commerce Cloud, the caching layer is managed for you, see Using the proxy cache.
Front-Commerce's HTTP cache contract
Front-Commerce sets the right Cache-Control header on every response itself.
You do not configure a caching strategy on the CDN, you let the CDN obey the
header that Front-Commerce emits:
- Cacheable responses get
Cache-Control: public, s-maxage=<n>, stale-while-revalidate=<n>. - Everything else gets
Cache-Control: no-cache.
Front-Commerce forces no-cache whenever the request belongs to a logged-in
(non-anonymous) visitor or the response is rendered in contribution mode, so
personalized content is never marked as cacheable.
The single rule for any CDN in front of Front-Commerce: honor the
Cache-Control headers coming from the origin, do not define your own caching
strategy. For the full reference on these headers and how to tune them, see
the
Cache-Control and CDN guide.
What is cacheable vs never cacheable
Cacheable:
- Built, content-hashed assets (JS/CSS bundles). Their file names change on every build, so they are immutable and safe to cache for a long time.
- Resized images served under
/images.resized/*, returned withCache-Control: public, max-age=<one year>. - Anonymous pages that emit an
s-maxagedirective (e.g. product, category and home pages,/robots.txt,/sitemaps.xml).
Never cacheable:
/graphql./api/*, including/api/admin/*.- Any request carrying the session cookie
connect.sid(this is the default cookie name and it is configurable). - Any response that contains a
Set-Cookieheader. - Any response rendered in contribution mode.
In all of these cases Front-Commerce already responds with
Cache-Control: no-cache, so a compliant CDN does the right thing on its own.
The two things to double-check on the CDN are: it respects the origin
Cache-Control, and it never serves an authenticated request (one carrying
connect.sid) from the shared cache.
Cloudflare specifics
Cloudflare is fully compatible with Front-Commerce, but a few defaults must be adjusted. This is a checklist, not a step-by-step tutorial, the exact location of each setting changes over time in the Cloudflare dashboard.
- ⚠️ Cloudflare does not cache HTML by default. Page responses come back as
Cf-Cache-Status: BYPASS. To cache anonymous HTML pages you must add explicit Cache Rules (Cloudflare's legacy Page Rules are being retired). Static assets, on the other hand, are cached out of the box and reportCf-Cache-Status: HIT. - Respect the origin cache headers. Configure Cloudflare to honor the
existing
Cache-Controlheaders instead of overriding them with its own edge TTL. - Bypass the cache for
/graphql,/api/*, and any request carryingconnect.sidor any response carryingSet-Cookie.
CDN optimizations to disable
Several Cloudflare (and CDN-generic) "performance" features rewrite the HTML or JavaScript that Front-Commerce generates. Because Front-Commerce is server-side-rendered and hydrated by React on the client, any alteration of the markup makes client hydration fail. Disable:
- Rocket Loader.
- Auto Minify (JS, CSS and HTML).
- Any other feature that rewrites, injects into, or otherwise alters the HTML or JavaScript payload.
The general principle: never transform the HTML or JavaScript produced by Front-Commerce.
WAF & bots
A Web Application Firewall and bot protection are welcome in front of Front-Commerce, but keep two principles in mind:
- Do not block
/graphqlor/api/*. These are legitimate storefront routes, the whole front-end depends on them. Blocking them takes the site down. - Focus protection on administrative surfaces and on clearly abusive traffic, and avoid rules that block legitimate visitors or server-side rendering. Tune any aggressive ruleset against real storefront traffic before enabling it in blocking mode.
Verifying the cache
Inspect the response headers to confirm how a given URL is being cached:
curl -I https://www.example.com/
Read the CDN status header, on Cloudflare this is Cf-Cache-Status, whose value
is HIT, MISS or BYPASS. Front-Commerce itself does not emit a cache-status
header, so rely on the one provided by your CDN. For a reproducible way to check
the Cache-Control headers Front-Commerce sets per route, use the validation
script in the
Cache-Control and CDN guide.
The "customer operates their own CDN in front of Front-Commerce" scenario has not been extensively validated in production yet. Please report any issue or feedback to our support team so we can improve this guide.