Network Profile


The AEM Delivery services are set up as origins behind Content Delivery Network (CDN) infrastructure for production and are accessed by authors, stakeholders and developers directly from their browsers. In some cases the CDN infrastructure for production sites is hosted and managed by AEM customers directly (we call this BYO CDN) or it is managed by Adobe via a Cloud Service CDN (eg. BYO DNS).

The network profile below is relevant both for the interactions of end-users directly with their browsers (or other clients) but also for setup and communication from your CDN.

Delivery Services

DNS Scheme

We use a DNS scheme that identifies each origin with the following pattern. https://<ref>--<site>--<org> (for preview) and https://<ref>--<site>--<org> (for live content). <ref>, <site> and <org> commonly identify GitHub repositories and references (branches or tags). Special characters in references, orgs and repositories are replaced by a single -. The maximum length of a domain name label is 63 characters, which limits the length of the <ref>--<site>--<org> the combination.

The DNS records for and are delivered with a short 10-minute time to live (TTL), so that we can switch between delivery stacks. This happens automatically. You can set up your CDN to use both stacks simultaneously, using the * origin.

HTTP and TLS versions

The AEM Delivery endpoints support HTTP/1.1 and HTTP/2 (H2) and TLS 1.2. HTTPS (via TLS) is enforced. All .page and .live subdomains additionally set HTTP Strict Transport Security (HSTS) headers, so that downgrades to HTTP are prohibited.

HTTP Headers

Many HTTP headers can be configured by the project or are dependent on the payload, but there are some headers that are handled out of the box.


The client facing cache-control headers are set automatically by default to reflect common patterns based on resource types and origin type. Some resources that are immutable have very long max-age and others that tend to change more frequently have shorter max-age. On preview .page origins max-age is set very short, to avoid the explicit need for authors, developers and stakeholders to clear their browser cache when making changes.


The vary header is set to Accept-Encoding,X-Forwarded-Host


The x-robots-tag header is automatically set to noindex, nofollow on any .live and .page origin to avoid indexing. This header is removed by the CDN tier for production only.

CDN Specific Headers

To manage the cache consistency with your CDN in an optimal way and support precise push invalidation there are custom headers set for each supported CDN that control the CDNs caching behavior and cache keys. The terminology and headers as well as the available features and semantics vary greatly between vendors.
These headers are only added for requests coming from a CDN and are consumed by the CDN and are not surfaced to the browser or other clients.

URL Space

The available URL space on the .page and .live origins is limited to a combination of upper and lowercase basic latin letters (A-Z and a-z), numbers (0-9), dash (-), underscore (_), period (.) and forward slash (/). Certain combinations of . and/or / in direct succession are also not valid.

If you need to service a broader URL space we recommend rewriting URLs on your CDN tier.

Access to the available URL Space

Developers and Authors have access to the full URL space via resources coming from GitHub, Folder names or redirect sources coming from the redirects spreadsheet.

Access to a more limited URL Space

File names in content sources (documents and spreadsheets in Sharepoint or Google Drive) are automatically rewritten to a more narrow character set including only lowercase basic latin letters (a-z), numbers (0-9) and dash(-) with the corresponding extension appended.

Admin Service (API)

The admin service endpoint available on (see API Spec here) is built to be accessed via a broad range of HTTP clients including browsers, command line tools as well as common HTTP clients.

It supports HTTP/1.1 and HTTP/2 (H2) with TLS 1.2. HTTPS (via TLS) is enforced.