Target CDN Asset Delivery Guide

Developer Guide: Target CDN Asset Delivery

This guide explains how to use test.tgtcdn.com for private GCS-backed image retrieval, Cloudflare-native image transformations, Scene7-style compatibility URLs, cache behavior, and purge by GCS object key.

Platform Summary

CapabilityHow it works in the POC
Native image retrievalhttps://test.tgtcdn.com/<object-key> reads the original private GCS object through cdn-gateway.
Native image transformshttps://test.tgtcdn.com/cdn-cgi/image/<options>/<object-key> uses Cloudflare Image Transformations directly.
Compatibility image transformshttps://test.tgtcdn.com/is/image/Target/<object-key>?<scene7-options> routes through image-url-translator, then redirects to the native transform URL.
Cache purgePurge the Cloudflare cache tag gcs-key:<object-key> from the Cloudflare Dashboard or Cache Purge API.
Demo and health/demo shows examples. /health shows POC status and recent asset activity.

Native Image Retrieval

Use raw object URLs when the page or application needs the original GCS object without resizing, format conversion, or quality changes.

https://test.tgtcdn.com/<object-key>

Known working example:

https://test.tgtcdn.com/007/ORIGINAL

Retrieval behavior:

Header or behaviorMeaning
X-CDN-Origin: GCSThe asset is served through the private GCS origin adapter.
X-Origin-Mode: gcs-service-accountThe Worker authenticates to GCS using a service-account secret.
X-Asset-Key: 007/ORIGINALStable object-key header for Log Explorer/Logpush custom fields on Worker-handled paths.
X-Asset-Path: /007/ORIGINALPublic path mapped to the GCS object key.
X-Cache-Tag: gcs-key:007/ORIGINALDeterministic cache tag derived directly from the GCS object key.
CF-Cache-Status: HITRepeat request is served from Cloudflare cache.

Native Image Transformations

Use native Cloudflare Image Transformations URLs when Target controls application or page markup. This is the preferred long-term path because the browser requests Cloudflare's image pipeline directly without a compatibility redirect.

https://test.tgtcdn.com/cdn-cgi/image/<options>/<object-key>

Example product detail image:

https://test.tgtcdn.com/cdn-cgi/image/width=1200,height=1200,quality=85,format=auto,fit=scale-down,metadata=none/007/ORIGINAL

Example product tile:

https://test.tgtcdn.com/cdn-cgi/image/width=400,height=400,quality=80,format=auto,fit=crop,metadata=none/007/ORIGINAL

Example responsive gallery markup:

<img
  src="https://test.tgtcdn.com/cdn-cgi/image/width=800,height=800,quality=80,format=auto,fit=scale-down,metadata=none/007/ORIGINAL"
  srcset="
    https://test.tgtcdn.com/cdn-cgi/image/width=300,height=300,quality=80,format=auto,fit=scale-down,metadata=none/007/ORIGINAL 300w,
    https://test.tgtcdn.com/cdn-cgi/image/width=400,height=400,quality=80,format=auto,fit=scale-down,metadata=none/007/ORIGINAL 400w,
    https://test.tgtcdn.com/cdn-cgi/image/width=600,height=600,quality=80,format=auto,fit=scale-down,metadata=none/007/ORIGINAL 600w,
    https://test.tgtcdn.com/cdn-cgi/image/width=800,height=800,quality=80,format=auto,fit=scale-down,metadata=none/007/ORIGINAL 800w,
    https://test.tgtcdn.com/cdn-cgi/image/width=1200,height=1200,quality=80,format=auto,fit=scale-down,metadata=none/007/ORIGINAL 1200w
  "
  sizes="(min-width: 992px) 60vw, 50vw"
  alt="Product image"
>

Transformation Defaults

AreaPOC default
Supported compatibility widths300, 320, 400, 480, 600, 640, 670, 800, 960, 980, 1200, 1280, 1600, 1920
Product gallery widths300, 400, 600, 800, 1200
Observed marketing/recommendation widths670, 980
Format for new markupformat=auto
Product gallery qualityquality=80
Detail/hero qualityquality=85
Compressed marketing qualityquality=65 where already observed
Gallery/detail fitfit=scale-down
Tile/marketing crop fitfit=crop
Metadatametadata=none

Each unique option set creates a separate cacheable image variant. Keep widths, quality levels, and fit modes intentional to avoid unnecessary variant growth.

Compatibility URL Translation

Use compatibility URLs when testing existing Scene7-style URLs or when URL generation cannot change yet.

https://test.tgtcdn.com/is/image/Target/<object-key>?wid=<width>&hei=<height>&qlt=<quality>&fmt=<format>&fit=<fit>

Example compatibility request:

https://test.tgtcdn.com/is/image/Target/007/ORIGINAL?wid=800&hei=800&qlt=80&fmt=pjpeg

Current flow:

/is/image/Target/... -> image-url-translator Worker -> 302 -> /cdn-cgi/image/...

Compatibility parameter mapping:

Scene7-style optionPOC behavior
widMaps to width. Unsupported between-values snap up to the next supported width.
heiMaps to height. If width is snapped, height is scaled by the same ratio.
qltMaps to quality. POC-safe range is normalized to 60-90.
fmt=pjpegMaps to format=jpeg. New native markup should use format=auto.
fit=crop,1Maps to fit=crop.

Examples of compatibility normalization:

RequestResolved behavior
wid=500&hei=500width=600,height=600
wid=1000&hei=430&fit=crop,1width=1200,height=516,fit=crop
wid=670&hei=377&qlt=65&fmt=pjpeg&fit=crop,1Preserves 670x377, maps to quality=65,format=jpeg,fit=crop

Compatibility URLs are useful for migration testing and noisy legacy URL handling. They are not the preferred final markup because the current implementation adds a browser redirect before the transformed image is fetched.

Cache And Purge Logic

Raw source assets and transformed variants are cached at Cloudflare. The same source image requested with different transform options creates distinct transformed variants.

Purge is based on the GCS object key. The Worker attaches the object key directly as the Cloudflare cache tag, prefixed with gcs-key:.

gcs-key:007/ORIGINAL

Purge behavior:

StepWhat happens
Identify object keyhttps://test.tgtcdn.com/007/ORIGINAL maps to object key 007/ORIGINAL.
Compute cache tagAdd the gcs-key: prefix: gcs-key:007/ORIGINAL.
Purge by DashboardCloudflare Dashboard > Caching > Configuration > Purge Cache > Custom Purge > Tags.
Purge by APISend {"tags":["gcs-key:007/ORIGINAL"]} to the Cloudflare zone purge endpoint.
ValidateRequest the same raw and transformed URLs again and confirm stale content is gone.

API example:

ZONE_ID="aacac726952b470209b3c31c95ea0b17"

curl -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/purge_cache" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"tags":["gcs-key:007/ORIGINAL"]}'

Do not exact-purge /cdn-cgi/image/... transformed URLs. Cloudflare rejects exact purges for resized image URLs; purge the gcs-key:<object-key> tag instead.

When To Use Each Structure

Use caseRecommended structure
Original image delivery with no resizeNative retrieval: /<object-key>
New product page markupNative transform: /cdn-cgi/image/...
Responsive srcset generated by TargetNative transform URLs with agreed widths
Existing Scene7-shaped URLsCompatibility URL: /is/image/Target/...
URLs needing snapping, validation, or parameter cleanupCompatibility Worker path
Stable legacy patterns that do not need complex logicFuture Transform Rule rewrite, documented separately in config/IMAGE-COMPAT-RULES.md
Same-key GCS overwritePurge cache tag gcs-key:<object-key> through Cloudflare Dashboard or API.

Observability And Tooling

SurfacePurpose
/demoVisual image gallery showing raw and transformed delivery.
/healthPOC health dashboard backed by Workers Analytics Engine.
/api/assetsPer-asset rollups for delivered assets and purge markers.
Log ExplorerProduction request-level investigation for http_requests, including native /cdn-cgi/image/... traffic.
LogpushOptional export of the same HTTP request logs to a Target-owned observability platform.
scripts/test-developer-image-guide.mjsLive regression suite generated from this guide.

Observability backend split:

BackendUse it forKey limit
Workers Analytics EngineCustom asset lifecycle telemetry: object key, origin pulls, cache hit ratio, purge markers, health states.Only sees events the Workers write. It is not full request logging.
Log ExplorerCloudflare-native log search and dashboards for raw, compatibility, and native image request traffic.Cloudflare-hosted; use Logpush if Target requires external ownership/retention.
LogpushExporting Cloudflare HTTP request logs to Splunk, Datadog, GCS, BigQuery, S3, R2, or another platform.Requires destination, field selection, retention, and PII policy decisions.

For Log Explorer or Logpush, enable the http_requests dataset for test.tgtcdn.com. The POC uses header-based enrichment as the recommended default: Workers emit approved X-* response headers and Log Explorer captures them as custom response fields. Current fields are X-Asset-Key, X-Cache-Tag, X-CDN-Origin, X-Origin-Mode, X-Transform-Method, X-Resolved-Width, and X-Resolved-Format.

Customer decision point:

OptionWhen to useTradeoff
Header-based enrichmentRecommended default for raw and compatibility paths. Adds searchable object-key and transform context without changing the native image fast path.Headers are visible to clients; native /cdn-cgi/image/... responses may not carry Worker headers.
Path-only loggingUse if Target wants no extra response metadata. Derive object key from URL path.Less direct cache-tag and compatibility correlation.
Expanded X-* headersUse if Target wants more asset or policy fields in Log Explorer.Requires explicit allow-list and PII/governance review.
Target request headersUse if Target apps can send product, campaign, or page context for logging.Requires Target app changes and strict data review.
Logpush correlationUse when Target wants to join HTTP logs with Analytics Engine, purge events, or catalog data in Target-owned tooling.Requires destination, schema, retention, and pipeline ownership.
Worker-mediated final deliveryUse only when every final image response must carry Worker metadata.Not recommended by default because it can add latency, cost, and complexity.

Native /cdn-cgi/image/... responses are generated by Cloudflare Image Transformations and may not carry Worker headers, so investigate those by request path, status, cache status, Ray ID, and the object key derived from /cdn-cgi/image/<options>/<object-key>.

Validation Commands

Validate raw native retrieval:

curl -I "https://test.tgtcdn.com/007/ORIGINAL"

Validate native transform delivery:

curl -I -H "Accept: image/webp" \
  "https://test.tgtcdn.com/cdn-cgi/image/width=640,quality=85,format=webp,fit=scale-down/007/ORIGINAL"

Validate compatibility behavior:

curl -IL "https://test.tgtcdn.com/is/image/Target/007/ORIGINAL?wid=1200&hei=1200&qlt=80"

Run the full guide-derived image suite:

node scripts/test-developer-image-guide.mjs

Expected signals:

SignalMeaning
HTTP 200 on raw retrievalThe original object was served.
X-CDN-Origin: GCSRaw retrieval went through the private GCS gateway.
X-Asset-Key: 007/ORIGINALRaw retrieval exposes an object-key field suitable for Log Explorer/Logpush custom field indexing.
X-Cache-Tag: gcs-key:007/ORIGINALRaw retrieval is associated with the key-derived purge tag.
HTTP 200 on native transformThe transformed image was served.
cf-resized response headerCloudflare Image Transformations processed the image.
HTTP 302 on compatibility URLThe compatibility Worker redirected to native /cdn-cgi/image/....
CF-Cache-Status: HIT on repeat requestThe asset or variant is cached at Cloudflare.