Skip to content

CDN Guide » Origin shield

Last updated: Mar 27, 2017

Origin shield is an extra caching layer between the CDN edge servers and your origin. The shield helps offload your origin and speed up cache miss responses. Another benefit of Origin shield is: if you want to whitelist IPs of the CDN in the firewall on your origin, you only need to whitelist a few IPs instead of many.

One (or multiple) of the POPs of the CDN will act as the shield. When a CDN edge server gets a request from a user and can't satisfy the request from cache, the edge server will fetch the object from the shield POP rather than pulling from the customer origin directly.

Origin shield is not the same thing on all CDNs that have this feature. For example, Verizon / EdgeCast provides its customers the option to assign a single POP as the shield or assign shield POP per region (US, EU, Asia, ...), while other CDNs like StackPath allow the customer to have a single POP and this can be only a POP in US.
Read on to learn more about the differences between CDNs.

Does the CDN provide Origin shield for free or is it a paid add-on?

POP selection
Can any of the CDN POPs act as a shield or can you select from a limited number of POPs?

Can you have multiple POPs act as a shield or just one?

CDNs and Origin shield

  • Available/supported = Yes
  • Partially = Sort of/partially
  • Not available/supported = No
  • Extra costs = Extra costs
  • Unknown = Unknown
CDN Free Selection Multiple
Limelight Available/supported Available/supported Available/supported
Imperva Extra costs Unknown Unknown
Verizon Digital Media Services Extra costs Available/supported Available/supported
StackPath More info Available/supported Partially Not available/supported
Fastly More info Available/supported Available/supported Partially
CDNetworks More info Extra costs Available/supported Available/supported
Level 3 Extra costs Unknown Not available/supported
Kingsoft Cloud Available/supported Unknown Unknown
BaishanCloud Extra costs Unknown Unknown
G-Core Labs More info Available/supported Available/supported Unknown
CloudFront Not available/supported Not available/supported Not available/supported
CacheFly More info Available/supported Unknown Unknown
ChinaCache More info Available/supported Available/supported Unknown
Akamai More info Extra costs Unknown Unknown
BunnyCDN More info Unknown Unknown Unknown
BelugaCDN Extra costs Unknown Not available/supported
Tata Communications More info Not available/supported Not available/supported Not available/supported
QUANTIL More info Available/supported Partially Not available/supported
CDN77 More info Available/supported Partially Available/supported
CDNs missing in this table? That is because we don't have the relevant info

More info per CDN


Fastly has an excellent guide about their Shielding feature. The online document explains how shielding works, how to enable it and what the caveats are. We particularly like that Fastly customers who use multiple origins can define a shield per origin. View the Fastly Guide: Shielding.


On customer request, the CDNetworks support team will set up one or multiple POPs to act as a shield. The customer lists the origin server location(s) as well as the geography of end users and CDNetworks uses this info to determine which POPs can best act as a shield.

G-Core Labs

Currently in beta/test mode. Read about this feature in the Origin Shielding (pre-cache server) article.


Read the blog post on CacheFly website Maximize Your Security with Origin Shielding.


Onr request, the ChinaCache support team enables and configures the Origin shield.


The name of the Akamai origin shield product is Site Shield.


Origin Shield is in private beta testing since Q1 2019.

Tata Communications

Tata CDN does not have an origin shield feature. They have a tiered caching architecture and claim this gratly helps reduce the load on the customer origin.


On customer request, the QUANTIL support team will set up one POP to act as a shield.


The StackPath shield POP maintains a long-lived connection with the customer origin and merges multiple requests for the same file into a single request to the origin. StackPath customers can currently select from three POPs to act as the shield: the POP in San Jose (US), the POP in Virginia (US) or the POP in Amsterdam (NL). Learn more about StackPath Origin Shield or view their Origin Shield API documentation.


CDN77 customers requiring Origin shield are assigned 2 IP addresses of servers - one in US and one in Europe. The customer cannot choose the locations of these two shield POPs by default, but if the customer has a strong preference to use a location closer to the origin, CDN77 is willing to change the shield(s).

More CDN Guides