TTL (CDN Time to Live)

Short Definition

TTL (Time to Live) in a CDN context is the duration that a cached copy of a resource is stored at an edge node before it is considered stale and must be refreshed from the origin server. It is set through HTTP cache-control headers or CDN configuration rules. TTL directly affects how often edge nodes re-fetch content, balancing freshness against origin load and latency.

Extended Definition

Every response a CDN caches at an edge node carries an expiration signal. That signal is the TTL. When a request arrives at an edge node and the cached copy has not yet expired, the edge serves the content directly without contacting the origin. When the TTL expires, the next request triggers a revalidation or a full re-fetch.

TTL values can be set in several places: the origin server sends `Cache-Control: max-age=<seconds>` or `Expires` headers, and CDN platforms allow administrators to override those values through custom rules. Most CDNs also support stale-while-revalidate and stale-if-error directives, which extend effective TTL behavior under specific conditions.

Choosing the right TTL requires balancing two competing concerns. A very short TTL ensures users always receive fresh content but increases origin traffic, latency, and infrastructure costs. A very long TTL reduces origin load and improves response speed but risks serving outdated content after deployments or data changes.

TTL also plays a role in security posture. Cached responses can mask the effects of security patches applied to the origin. If a vulnerability is patched but a CDN serves stale cached responses for hours afterward, users may still receive the exploitable version of a resource. This makes TTL a concern not just for performance teams but for security and infrastructure operations teams as well.

DNS TTL is a related but distinct concept. DNS TTL controls how long resolvers cache a DNS record, affecting failover speed and traffic routing rather than content freshness.

Deep Technical Explanation

How CDN TTL Works at the Edge

When an origin server returns a response, it includes headers that instruct intermediate caches how long to store the content. The CDN edge node reads these headers and stores the response alongside a timestamp. On each subsequent request for that resource, the edge node checks whether the current time exceeds the stored timestamp plus the TTL value. If it has not, the edge serves the cached copy and returns a cache-hit indicator (typically an `X-Cache: HIT` header). If it has expired, the edge performs a conditional request using `If-None-Match` or `If-Modified-Since` headers to check whether the content has changed.

Cache-Control Directives and TTL Sources

The `Cache-Control` header carries the authoritative TTL signal. The `max-age` directive sets the number of seconds a response is cacheable. The `s-maxage` directive applies specifically to shared caches like CDNs and overrides `max-age` for those nodes. The `no-store` directive prevents caching entirely, while `no-cache` requires revalidation on every request even if the cached copy exists.

CDN platforms including Cloudflare, AWS CloudFront, and Fastly allow edge TTL rules that override origin headers. This is useful when the origin application cannot be modified easily or when different content types require different expiration policies.

Stale Content and Invalidation

The failure mode most teams encounter is serving stale content after a deployment. If a JavaScript bundle is cached with a 24-hour TTL and a hotfix is deployed two hours into that window, users will receive the broken version for up to 22 more hours unless the cache is explicitly purged. Cache purge APIs address this, but they require discipline in deployment pipelines and can have propagation delays across edge nodes in large CDN networks.

Another edge case involves personalized or authenticated responses. Responses that vary by user session must never be cached with a positive TTL unless `Vary` headers and private cache directives are correctly configured. A misconfigured TTL on a private response can expose one user’s data to another, which is a direct security incident.

TTL and Security Patching

Security teams need to account for CDN TTL when applying patches. After deploying a fix for an injection vulnerability or a broken authentication endpoint, long TTL values can mean the CDN continues to serve the pre-patch response. The safest operational practice is to trigger a cache purge as part of any security-related deployment, confirm purge propagation across all edge PoPs, and monitor for cache-hit rates returning to normal after the purge.

TTL Under Attack Conditions

During a DDoS or volumetric attack, a high cache-hit rate is protective. If the CDN is serving cached responses for the targeted resource, origin servers are not absorbing the attack traffic. A very low TTL during an active attack forces the CDN to re-fetch frequently, potentially routing attack-amplified traffic to the origin. This is why some teams temporarily increase TTL values as a defensive measure during large-scale attack events.

Practical Examples

E-commerce Site With Frequent Price Changes

A retail platform was caching product pages with a 12-hour TTL. After a flash sale launch, pricing data shown to users was stale. The team reconfigured TTL to 30 seconds for product detail pages and 4 hours for static assets like images and CSS. Origin load increased slightly but stayed within capacity, and pricing accuracy was restored.

Security Patch Deployment

A SaaS platform patched an XSS vulnerability in a rendered HTML template. The CDN had a 6-hour TTL on those pages. The operations team triggered a full cache purge via the CDN API immediately after deployment and confirmed the patch was live within 90 seconds across all edge nodes.

DDoS Attack Mitigation

A media company experienced a 900Mbps flood targeting their homepage. Because the homepage was cached with a 5-minute TTL, over 98% of requests were served from edge cache, and origin servers saw minimal traffic increase throughout the 40-minute attack window.

Authenticated API Response Leak

A misconfigured CDN rule applied a 60-second TTL to an API endpoint that returned user-specific account data. The missing `Cache-Control: private` header allowed one user’s response to be served to the next user hitting the same edge node. The incident was caught during a routine security audit and fixed by adding the correct cache directives at the origin.

Why It Matters

  • TTL misconfiguration is a direct path to serving stale or incorrect content, which can cause data integrity issues and user trust failures.
  • A high cache-hit rate enabled by appropriate TTL values is one of the most effective passive defenses against origin-targeted DDoS attacks.
  • Security patches deployed to the origin do not take effect for end users until the CDN cache expires or is purged, making TTL a variable in incident response timelines.
  • Incorrect TTL on authenticated or personalized responses can result in data exposure between users, which is a compliance and privacy violation.
  • TTL configuration must be part of the deployment pipeline for any application served through a CDN, not treated as a one-time infrastructure setting.
  • DNS TTL and CDN TTL are both factors in failover and traffic routing decisions, so they must be coordinated during infrastructure changes and incident response.

How BlueGrid.io Uses It

BlueGrid.io manages CDN TTL configuration as part of active infrastructure operations for client environments, not as a set-and-forget setting.

  • During Layer 7 attack events, where BlueGrid.io handles over 50M threat requests per month and attack volumes reaching 1Gbps, TTL values are reviewed in real time. For under-attack resources, TTL is adjusted to maximize cache-hit rates and reduce origin exposure without breaking content freshness guarantees.
  • BlueGrid.io’s 24/7 NOC monitors cache-hit ratios alongside origin response metrics. A sudden drop in cache-hit rate for a high-traffic resource triggers an alert, which may indicate a TTL misconfiguration or a cache purge that did not propagate correctly.
  • During security incident response, BlueGrid.io executes cache purge operations as part of the incident response workflow under the 1-hour SLA, ensuring that patched content reaches end users without waiting for TTL expiration.
  • For clients with SOC 2, NIS2, or ISO 27001 compliance requirements, BlueGrid.io audits CDN cache configurations to confirm that no authenticated or sensitive responses are being cached with a positive TTL, supporting data protection controls.
  • BlueGrid.io maintains documented TTL policies per content type for each client environment, separating static asset TTL from dynamic content TTL and enforcing those policies through CDN rule sets on AWS CloudFront and other platforms.
Share this post

Share this link via

Or copy link