Static assets cached by CDN

Severity: Recommended

Static assets (JS, CSS, images, fonts) should be served through a CDN with appropriate cache headers. This reduces latency and origin server load.

Check automatically:

1. Identify static asset URLs from the site:

# Fetch homepage and extract JS/CSS/image URLs
curl -sL https://example.com | grep -oE '(src|href)="[^"]*\.(js|css|png|jpg|svg|woff2?)"' | head -10

2. Check cache headers on static assets:

# For each asset URL
curl -sI https://example.com/assets/main.js | grep -iE "cache-control|cf-cache-status|age|x-cache"

3. Verify CDN is serving assets (Cloudflare-specific):

# Look for CF-Cache-Status header
curl -sI https://example.com/assets/main.js | grep -i "cf-cache-status"
# Expected: HIT, MISS (first request), or DYNAMIC

4. For other CDNs:

# CloudFront
curl -sI https://example.com/assets/main.js | grep -i "x-cache"
# Expected: Hit from cloudfront

# Fastly
curl -sI https://example.com/assets/main.js | grep -i "x-served-by"

# Vercel
curl -sI https://example.com/assets/main.js | grep -i "x-vercel-cache"

Ask user:

• "What CDN do you use?" (Cloudflare, Fastly, CloudFront, Vercel, etc.)
• If no CDN: "Are static assets served from origin on every request?"

Pass criteria:

• Static assets (JS, CSS, images, fonts) have Cache-Control with long TTL
• CDN cache status shows HIT on subsequent requests
• Assets served from CDN edge, not origin

Fail criteria:

• No Cache-Control header on static assets
• Cache-Control: no-cache or max-age=0 on static assets
• No CDN in front of static assets (served from origin every time)

Evidence to capture:

• CDN provider
• Sample cache headers from JS, CSS, image assets
• Cache hit rate if available (CDN dashboard)

---