Cookies

On cookie

The Cookie header in client requests can significantly impact caching efficiency. By default, requests containing cookies bypass the cache entirely, since cookies often contain user-specific data.

The main reason to manage incoming cookies is to prevent unwanted cookies from affecting cache behavior. Bugs in applications or malicious clients can add cookies that fragment your cache and reduce hit rates. Using an allow list ensures only the cookies you actually care about affect caching.

The On cookie setting allows you to control how the CDN handles incoming cookies:

• Pass: Bypasses the cache for requests with cookies (default behavior)
• Remove: Strips all cookies from the request before processing, allowing the request to be cached normally
• Allow list: Keeps only specific named cookies and removes all others

Allow list

You can specify up to 5 cookie names to keep. Cookie names are case-sensitive. Any cookies not in the allow list are automatically removed from the request.

Note: The kept cookies will still affect caching behavior. Consider whether you actually need to cache requests with these cookies, or if Pass would be more appropriate.

On set cookie

The Set-Cookie header in origin responses instructs browsers to store cookies. By default, these headers pass through to clients unchanged.

This setting is primarily used to fix or amend applications on your origin server that unnecessarily create cookies. It's often easier to remove unwanted cookies at the CDN level than to modify the origin application.

The On set cookie setting allows you to control which cookies from your origin are sent to clients:

• Pass: Allows all Set-Cookie headers through unchanged (default behavior)
• Remove: Strips all Set-Cookie headers from responses before sending to clients
• Allow list: Keeps only specific named cookies and removes all others
• Deny list: Removes specific named cookies while keeping all others

Allow list

You can specify up to 5 cookie names to keep. Cookie names are case-sensitive. All other Set-Cookie headers are removed.

Deny list

You can specify up to 5 cookie names to block. Cookie names are case-sensitive. All other Set-Cookie headers pass through unchanged.

Best practice: Use Allow list for tight control over exactly which cookies are set, and Deny list to remove just a few problematic cookies while allowing most through.

Using overrides for path-specific behavior

Rule overrides can be used to configure different cookie handling for different paths. For example, you typically want to remove all cookies for public static resources (images, CSS, JavaScript) to maximize cache efficiency, while API endpoints should retain cookies that are relevant for authentication or session management.

This allows you to have a default cookie policy at the base level, and then override it for specific paths that require different behavior.