Articles

Debug CDN Cache Misses, Stale Content, and Purge Failures (2026)

April 16, 2026 10 min read

A CDN cache miss isn’t just a delay; it’s a signal that the CDN’s edge server couldn’t find the requested asset locally and had to go all the way back to your origin server, potentially impacting performance and user experience.

Let’s walk through a typical scenario. Imagine a user requests https://cdn.example.com/images/logo.png.

  1. The user’s browser asks the CDN edge server for logo.png.
  2. The CDN edge server checks its local cache.
  3. Cache Miss: The file isn’t there.
  4. The CDN edge server requests logo.png from https://origin.example.com/images/logo.png.
  5. Your origin server sends the file back to the CDN edge server.
  6. The CDN edge server caches the file and then serves it to the user.
  7. The user sees the image, but with a delay.

Now, what if this happens too often, or worse, the CDN shows stale content even after you’ve updated it? This is where debugging becomes critical.

Debugging Cache Misses

Cache misses are the most common issue. They happen for a variety of reasons.

1. TTL Too Short: Your cache-control headers tell the CDN how long to hold onto an asset. If this Time To Live (TTL) is too short, the CDN will expire and re-fetch assets frequently, leading to more misses.

  • Diagnosis: Inspect your origin server’s Cache-Control and Expires headers for the problematic asset. Use curl -I https://origin.example.com/images/logo.png. Look for Cache-Control: max-age=3600 (an hour) or Expires: Tue, 01 Jan 2025 12:00:00 GMT.
  • Fix: Increase the max-age directive in your Cache-Control header. For static assets that rarely change, Cache-Control: max-age=31536000 (one year) is common. This tells the CDN to keep the asset for up to a year.
  • Why it works: A longer max-age means the CDN will consider the asset fresh for a longer period, reducing the need to check with the origin and thus decreasing misses.

2. Cache Key Mismatch: CDNs use a cache key (usually the full URL) to identify unique assets. If your URL structure changes, or if query parameters that don’t affect the content are present, the CDN might treat identical assets as different.

  • Diagnosis: Compare the exact URLs being requested. Are there subtle differences? For example, https://cdn.example.com/images/logo.png?v=1 and https://cdn.example.com/images/logo.png?v=2 will be cached separately. Check if your application dynamically adds versioning or tracking parameters.
  • Fix: Configure your CDN to ignore specific query parameters that don’t change the asset content. In Cloudflare, this is done under "Scrape Shield" -> "Auto Minify" -> "Query String Sort". For others, it might be a "Cache Key Rules" or "Query String Whitelist/Blacklist" setting. Ensure you’re whitelisting only necessary parameters or blacklisting dynamic ones.
  • Why it works: By ignoring non-essential query parameters, the CDN treats logo.png?v=1 and logo.png?v=2 (if v is dynamic) as the same asset, consolidating them into a single cache entry and reducing misses.

3. Vary Header Issues: The Vary header tells the CDN which request headers are part of the cache key. If it’s set incorrectly, the CDN might serve a cached version meant for one client (e.g., mobile) to another (e.g., desktop).

  • Diagnosis: Inspect the Vary header on responses from your origin. curl -I https://origin.example.com/styles.css. If you see Vary: Accept-Encoding, it means the CDN will cache different compressed versions. If you see Vary: User-Agent and you don’t intend to serve different content based on user agent, this is a problem.
  • Fix: Remove Vary headers from your origin server’s response if they are not necessary for content differentiation. For example, if Accept-Encoding is present but your origin always serves Gzip, you might remove it. If your CDN adds a Vary: Accept-Encoding automatically (many do for compression), ensure your origin doesn’t also add it redundantly.
  • Why it works: The Vary header dictates how the cache key is constructed. Removing unnecessary Vary headers prevents the CDN from creating too many distinct cache entries for what is essentially the same content.

4. Origin Server Unavailability/Errors: If your origin server is down, slow, or returning errors (like 5xx), the CDN will likely fail to fetch the asset, resulting in a cache miss or an error to the user.

  • Diagnosis: Check your origin server’s logs and monitoring. Is it experiencing high load or downtime? Is it returning HTTP 500 or 503 errors?
  • Fix: Resolve the issues on your origin server. This might involve scaling up resources, fixing application bugs, or improving database performance.
  • Why it works: A healthy, responsive origin server is fundamental for the CDN to successfully fetch and cache assets.

5. Geo-blocking/IP Restrictions: If your origin server is blocking requests from the CDN’s edge server IP addresses, the CDN won’t be able to reach it, leading to persistent misses.

  • Diagnosis: Check your origin server’s firewall rules, IP allowlists, or security group configurations. Are the IP ranges used by your CDN provider (e.g., Cloudflare’s ~173.245.48.0/20) explicitly allowed?
  • Fix: Add the CDN provider’s IP ranges to your origin server’s allowlist. For Cloudflare, you can find their current IP ranges in their documentation.
  • Why it works: This ensures the CDN’s servers have network access to your origin, allowing them to retrieve and cache content.

6. Dynamic Content Misconfiguration: If content is dynamic and shouldn’t be cached, but your CDN is configured to cache it, you’ll get misses when the underlying data changes. Conversely, if dynamic content should be cached but isn’t, you’ll get misses.

  • Diagnosis: Review your CDN’s caching rules for the specific paths. Are they set to Cache Everything, Cache Static Assets Only, or are there custom rules? Check your origin’s Cache-Control headers for dynamic content; they should often be no-cache or max-age=0.
  • Fix: Adjust your CDN caching rules. For dynamic content, set a Cache-Control header of no-cache, no-store, must-revalidate from the origin and ensure the CDN respects this (or configure the CDN rule to bypass cache for these paths). For content that should be cached but isn’t, ensure a max-age is set on the origin and the CDN rule applies.
  • Why it works: Proper configuration aligns the CDN’s caching behavior with the nature of the content, preventing stale data or unnecessary fetches.

Debugging Stale Content

Stale content, where the CDN serves an old version even after an update, is often a purge or propagation issue.

1. Incomplete Purge: You might have purged an asset from the CDN, but the purge command didn’t reach all edge locations, or it was for the wrong URL.

  • Diagnosis: Verify the purge request in your CDN provider’s dashboard or API logs. Did it report success? Try purging the asset again, and check the CDN’s "Purge Status" or "History" section.
  • Fix: Re-initiate the purge for the specific asset (/images/logo.png) or a broader purge if necessary (e.g., /images/*). Ensure you’re using the correct URL format that matches what the CDN expects.
  • Why it works: A successful purge command instructs all edge servers to remove the specified asset from their cache, forcing them to fetch the latest version on the next request.

2. Stale "Stale-While-Revalidate" or "Stale-If-Error": Some CDNs offer features like "stale-while-revalidate" (serve stale content immediately, then revalidate in the background) or "stale-if-error" (serve stale content if the origin is down). If these are misconfigured or the revalidation fails, you can get stale content.

  • Diagnosis: Check your CDN’s advanced caching settings. Look for options related to "stale-while-revalidate" or "stale-if-error" and their associated TTLs.
  • Fix: Adjust the TTLs for these features or disable them if they’re causing issues. For "stale-while-revalidate", a common setting is stale-while-revalidate=600 (serve stale for 10 minutes while revalidating). Ensure this value is appropriate for your content update frequency.
  • Why it works: These features are designed to improve perceived performance by serving cached content even during revalidation or origin errors. Misconfiguration can lead to outdated content being served longer than intended.

3. TTL Expiry During Purge Operation: It’s possible for an asset’s TTL to expire between the time you initiated a purge and the time it fully propagated across all edge servers. The CDN might then re-fetch the old version from the origin.

  • Diagnosis: This is hard to diagnose directly without deep CDN logs. However, if you consistently see stale content after purging and the asset’s TTL is very short (e.g., 60 seconds), this could be a race condition.
  • Fix: Temporarily increase the TTL on your origin server before purging, then purge the asset, and finally, revert the TTL. Or, use a "purge and re-deploy" strategy where you update the asset on the origin, then trigger a CDN purge.
  • Why it works: By increasing the TTL, you give the purge operation more time to complete across the CDN network before the CDN considers the asset stale and fetches it again.

Debugging Purge Failures

Purge failures are often due to incorrect configuration or API issues.

1. Invalid API Credentials/Permissions: If the API keys or tokens used to purge content are incorrect, expired, or lack the necessary permissions, purge requests will fail.

  • Diagnosis: Check your CDN provider’s documentation for API authentication. Look for error messages in your CDN dashboard or logs related to authentication or authorization (e.g., 401 Unauthorized, 403 Forbidden).
  • Fix: Regenerate API keys or tokens, ensure they are correctly entered in your deployment scripts or CI/CD pipeline, and verify the user/service account associated with the keys has "Purge" or "Cache Management" permissions.
  • Why it works: Correct authentication and authorization are required for the CDN to accept and process purge requests.

2. Rate Limiting: CDNs impose rate limits on API requests, including purges, to protect their infrastructure. Exceeding these limits will cause subsequent requests to fail.

  • Diagnosis: Look for "429 Too Many Requests" errors in your API logs or CDN dashboard. Check your CDN provider’s documentation for their specific API rate limits.
  • Fix: Implement backoff and retry logic in your purge scripts. If you need to purge many assets, consider using wildcard purges (/images/*) where supported, or stagger your purge requests over time.
  • Why it works: Respecting rate limits prevents your purge requests from being rejected, ensuring that all assets you intend to purge are eventually processed.

3. Incorrect Purge Endpoint/Payload: The specific API endpoint, HTTP method, or the structure of the purge request payload might be incorrect.

  • Diagnosis: Double-check the CDN provider’s API documentation for the exact purge endpoint (e.g., /purge, /purge_cache), the HTTP method (POST, PUT), and the expected JSON or form data structure for the request body (e.g., {"url": "..."} or {"files": ["..."]}).
  • Fix: Correct your API call to match the documented endpoint, method, and payload format precisely. For example, if your CDN expects {"files": ["/path/to/file.jpg"]} and you’re sending {"url": "/path/to/file.jpg"}, you’ll get an error.
  • Why it works: The CDN’s API needs to receive requests in a very specific format to understand and execute the purge command.

The next error you’ll likely encounter, if you’ve fixed all these, is a "Too Many Redirects" error if your origin server and CDN are both trying to enforce HTTPS.

Want structured learning?

Take the full Cdn course →