Support FAQ

Origin server

What is an origin server?

An origin server is the authoritative system that a CDN, cache, reverse proxy, or edge network fetches from when it cannot answer a request itself. The origin might be a web server, application platform, object store, API gateway, load balancer, media service, or a pool of several backends. It is called the origin because it is the source of truth for the content or application response.

Putting a CDN in front of a site does not make the origin unimportant. The origin still defines what can be cached, what must stay private, which status codes are returned, how redirects work, whether TLS is valid, and how the application behaves when the cache misses. A fast edge can hide some origin latency, but only for requests that can be served safely without contacting the origin.

When requests still reach origin

Requests reach the origin on cache misses, cache revalidation, purges, dynamic routes, uploads, state-changing methods, authenticated pages, admin paths, and any resource marked as uncacheable. They also reach the origin when a cache key is too fragmented to produce reuse. For example, varying by every query string or every cookie can turn many repeatable resources into apparent one-off requests.

Origin traffic often spikes during deploys, content publishing, cache expiry, or a broad purge. A large CDN footprint can make this more visible: many edge locations may miss at the same time and fetch the same object. Origin shielding, request collapsing, and targeted invalidation can reduce that duplicate work, but the origin must still be able to handle planned misses and unexpected bypasses.

Dynamic sites need special care. A public product page may be cacheable for anonymous users, while the same URL may be personalized after login. An API may have public reference data and private account data under the same hostname. The origin needs to send headers and response patterns that let the delivery layer separate those cases safely.

Headers are part of origin behavior

Cache-Control, CDN-Cache-Control, ETag, Last-Modified, Vary, Set-Cookie, Location, Content-Encoding, and status codes all influence what the edge can do. Headers are not decoration; they are part of the contract between the origin and the delivery layer.

Unsafe headers can create either poor performance or security exposure. If every response sets a session cookie, the cache may bypass public content that could otherwise be reused. If a private account page is accidentally marked public, a shared cache may store data that belongs to one user and show it to another. If Vary includes a broad signal such as User-Agent without the content actually changing, cache entries can fragment and origin load can rise.

Clear route-level intent helps. Static assets should usually have stable URLs and long freshness. Public HTML may use shorter freshness, revalidation, or controlled stale serving. Authenticated pages and sensitive APIs should normally prevent shared storage. Redirects and error responses need their own policy because caching a bad redirect or a temporary error can create confusing incidents.

Protecting the origin

An origin should not be easier to attack than the CDN-protected hostname. If the origin IP or alternate hostname is reachable directly from the Internet, attackers can bypass caching, WAF rules, bot controls, rate limits, and TLS policy. Restricting origin access to the CDN or trusted network paths is a basic protection for both security and cost control.

TLS validation also matters on the origin connection. The certificate should match the hostname used by the edge, support expected protocols, and be renewed before expiry. Disabling verification may appear to fix delivery quickly, but it weakens the trust boundary and can hide configuration drift.

Application-level controls still belong at the origin. The edge can block unwanted traffic early, but authorization, input validation, transaction integrity, and data access rules must not depend solely on the CDN. The origin should assume that some requests may arrive through maintenance paths, internal tools, or misconfigurations and enforce critical checks itself.

Scaling and failover

Origin capacity planning should include cache miss scenarios, not only average traffic. A site with a high cache hit ratio may still need to survive a purge, a regional failover, a bot burst, or a cache-busting pattern. The origin should have clear limits, queue behavior, autoscaling rules, database capacity, and graceful error handling.

Health checks should test meaningful behavior without overloading the system. A load balancer check that only confirms a TCP port is open may miss broken dependencies. A health check that runs a heavy database query every second can create its own problem. Good checks confirm that the origin can serve the routes it is expected to handle.

Backup origins need the same policy as primary origins. They need current certificates, security rules, headers, redirects, authentication behavior, logging, and capacity assumptions. Otherwise a failover can restore availability while weakening privacy or producing inconsistent cache behavior.

Misconfigurations that show up at the edge

Many "CDN problems" begin at the origin. Common examples include redirects that point back to the origin hostname, mixed HTTP and HTTPS assumptions, incorrect Host header handling, oversized responses, unbounded query strings, inconsistent compression, missing cache validators, and errors that are cacheable by accident.

Troubleshooting is faster when every response can be traced. Preserve request IDs from edge to origin, log the selected origin, record cache status, and keep enough timing data to separate edge latency from origin processing. A 200 response served from cache tells a different story than a 200 that waited two seconds on the application.

What to monitor

Useful origin metrics include request rate, origin egress bytes, response time, connection errors, status codes, TLS failures, cache miss rate, revalidation rate, purge frequency, database health, queue depth, and CPU or memory saturation. Break these down by hostname, route, method, cache status, and origin pool.

The practical aim is origin relief, not origin invisibility. A well-designed CDN reduces unnecessary origin work while keeping the origin protected, observable, and authoritative. When the origin contract is clear, the delivery layer can improve speed and resilience without guessing which responses are safe to reuse.

Related Articles

AI Crawler User Agents

A practical reference for common AI crawler user agents, operators, purposes, and recommended Peakhour bot-management actions.

AI For Cybersecurity

AI For Cybersecurity explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.

AI Image Generation

AI Image Generation explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.

AI Misuse

AI Misuse explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.

© PEAKHOUR.IO PTY LTD 2026   ABN 76 619 930 826    All rights reserved.