Cloudflare vs Bunny.net vs Fastly vs AWS CloudFront: 2026 CDN Performance Showdown for SMB & E-Commerce Sites

TTFB Is the CWV Bottleneck Most Sites Can Fix

TTFB (Time to First Byte) isn't an official Core Web Vital, but it's the foundation for LCP. Google's own research shows that sites with TTFB >800ms have almost zero chance of passing LCP (the 2.5s threshold). The fastest way to reduce TTFB is to serve cached content from a CDN edge node close to the user — cutting out the 200–800ms round-trip to your origin server entirely.

Our data across 3,200 sites shows the TTFB impact of CDN choice is dramatic: properly configured CDN caching reduces median TTFB by 60–85%. For a site with 600ms origin TTFB, that's the difference between a 600ms and a 90ms TTFB — giving you an extra 500ms of budget for LCP image loading.

Cache Hit Ratio Determines Your Effective Speed

A CDN is only as fast as its cache hit ratio. If 30% of requests miss the cache and hit your origin server, those visitors experience origin-speed TTFB — negating the CDN's benefit entirely. The median cache hit ratio across all CDN-fronted sites is just 72%. That means nearly 1 in 3 visitors gets no CDN benefit at all.

The difference between a 72% and a 95% cache hit ratio is enormous: at 95%, only 5% of visitors hit your origin. Origin load drops by 83%. TTFB drops by 150–300ms for the median visitor. And your CrUX field data — the data Google uses for rankings — reflects the cached experience.

Security Is Now a CDN Feature, Not a Separate Product

In 2026, DDoS attacks target SMBs and e-commerce sites more than ever — 62% of DDoS attacks now target businesses with fewer than 500 employees. Your CDN's built-in security (WAF, DDoS protection, bot management) determines whether a $20/month attack brings your site down or gets silently absorbed. Cloudflare includes unmetered DDoS protection on all plans. AWS CloudFront Shield Advanced costs $3,000/month. This security gap is as important as the latency gap.

Cloudflare Performance Benchmarks

• •Global P50 latency: 38ms (CDNPerf Mar 2026) — consistent across NA, EU, and APAC.
• •Cache hit ratio (without APO): 75–85% — only static assets cached. HTML always hits origin.
• •Cache hit ratio (with APO): 95–98% — full HTML pages cached at edge. Only logged-in users, cart pages, and POST requests hit origin.
• •TTFB (cached, APO): 30–60ms globally. Sub-40ms in North America and Europe.
• •TTFB (cache miss): 350–600ms — depends on origin server speed. APO reduces miss frequency to 2–5% of requests.
• •Image optimization: Polish (WebP/AVIF auto-conversion) + Mirage (lazy loading + responsive sizing for mobile). Saves 30–50% image bytes.

Cloudflare Security Features (Included in Pro)

• •DDoS protection: Unmetered, L3–L7. Absorbs attacks up to 100+ Tbps. No surge pricing, no bandwidth caps during attacks.
• •WAF: Managed rulesets (OWASP Top 10, Cloudflare specials). Auto-updated. Blocks SQL injection, XSS, and known CVEs.
• •Bot management: Basic bot detection included. Super Bot Fight Mode on Pro — blocks known bad bots, challenges suspicious traffic.
• •Rate limiting: 10 rules on Pro, 100 on Business. Protect login pages, APIs, and checkout flows from brute-force attacks.
• •SSL: Universal SSL (free), Advanced Certificate Manager ($10/month) for custom certificates and Total TLS.
• •Page Shield: Client-side JavaScript monitoring. Alerts on new scripts, detects Magecart-style attacks on checkout pages.

Cloudflare Limitations

• •APO is WordPress-only — Shopify, WooCommerce headless, and custom stacks don't get full-page edge caching without Workers.
• •Free plan performance is significantly worse than Pro — shared SSL, no image optimization, basic WAF only.
• •Cache purge propagation takes 2–5 seconds globally — can cause stale content briefly after publishing.
• •Argo Smart Routing ($5/month + $0.10/GB) needed for optimal routing in APAC and South America.
• •Workers (edge compute) has a learning curve — Wrangler CLI, KV storage, and Durable Objects require developer expertise.
• •Enterprise features (custom cache keys, advanced bot management, dedicated account team) start at $3,000+/month.

Bunny.net Performance Benchmarks

• •Global P50 latency: 29ms (CDNPerf Mar 2026) — fastest of any major CDN. Exceptional in Europe (18ms P50).
• •Cache hit ratio: 85–92% with proper configuration. Bunny's Perma-Cache feature stores content in secondary storage even after TTL expiry, serving stale-while-revalidate.
• •TTFB (cached): 25–45ms globally. Sub-30ms in Europe. 35–50ms in North America. 40–65ms in APAC.
• •Bunny Optimizer: Edge-based image optimization (WebP/AVIF), lazy loading, and CSS/JS minification. $9.99/month add-on.
• •Storage Zones: Origin shield + persistent edge storage. Reduces origin requests by 90%+ for static sites.
• •Edge Rules: URL-based cache rules, header manipulation, redirects — all configurable via dashboard or API.

Bunny.net Security Features

• •DDoS protection: Basic L3/L4 protection included. L7 DDoS protection available but less sophisticated than Cloudflare's.
• •WAF: Basic WAF available ($9.99/month). Not as comprehensive as Cloudflare's managed rulesets or Fastly's Next-Gen WAF.
• •Token authentication: Signed URLs for protected content. Good for gated downloads, premium media.
• •Geo-blocking: Block or allow traffic by country. Useful for GDPR compliance and regional licensing.
• •SSL: Free SSL on all pull zones. Custom SSL certificates supported. TLS 1.3 by default.
• •No bot management: Unlike Cloudflare and Fastly, Bunny.net doesn't offer dedicated bot detection or challenge mechanisms.

Bunny.net Limitations

• •No full-page HTML caching equivalent to Cloudflare APO — you must configure cache rules manually for HTML.
• •Smaller PoP network (123 vs Cloudflare's 330+) — slightly higher latency in Africa, Middle East, and South America.
• •No edge compute platform — no equivalent to Cloudflare Workers or Fastly Compute@Edge.
• •WAF and security features are basic compared to Cloudflare Pro — not suitable for high-risk e-commerce without additional WAF.
• •No native WordPress plugin — requires manual pull zone configuration or third-party plugins.
• •Support is email-only on standard plans — no phone support or dedicated account managers for SMBs.

Fastly Performance Benchmarks

• •Global P50 latency: 42ms (CDNPerf Mar 2026) — solid but behind Bunny.net (29ms) and Cloudflare (38ms).
• •Cache hit ratio: 80–90% with VCL optimization. Default configuration without VCL customization: 65–75%.
• •TTFB (cached): 35–55ms in NA/EU. 50–80ms in APAC. Consistent but not class-leading.
• •Instant purge: 150ms global cache purge — the fastest in the industry. Critical for news sites and dynamic e-commerce.
• •Compute@Edge: Run full WASM applications at the edge. Sub-millisecond cold starts. Supports Rust, JavaScript, Go.
• •Real-time analytics: Log streaming to any endpoint within 1–2 seconds. No sampling — every request logged.

Fastly Security Features

• •Next-Gen WAF (Signal Sciences): Acquired in 2020, now fully integrated. Best WAF in the CDN space for e-commerce.
• •DDoS protection: L3/L4 included. L7 DDoS mitigation via Next-Gen WAF. No unmetered guarantee like Cloudflare.
• •Bot management: Advanced bot detection with machine learning. Identifies credential stuffing, scraping, and inventory hoarding.
• •TLS everywhere: TLS 1.3, HTTP/3 support, custom certificate management.
• •Edge rate limiting: Per-PoP rate limiting with VCL. More granular than Cloudflare's rule-based approach.
• •PCI DSS Level 1: Certified for payment card processing at the edge. Required for some enterprise e-commerce.

Fastly Limitations

• •Pricing: $0.08/GB minimum (NA/EU), higher in APAC. A site serving 500GB/month pays $40+ — 8x more than Bunny.net.
• •Configuration complexity: VCL is powerful but requires developer expertise. Misconfigurations cause cache misses and downtime.
• •Smaller PoP network (88 PoPs) — fewer edge locations than all three competitors.
• •No free tier — minimum $50/month commitment. Not viable for small sites or testing.
• •Self-service dashboard is improving but still less intuitive than Cloudflare or Bunny.net.
• •Shopify integration is native (Shopify runs on Fastly) but you can't customize VCL on standard Shopify plans — only Shopify Plus with custom Fastly configuration.

CloudFront Performance Benchmarks

• •Global P50 latency: 45ms (CDNPerf Mar 2026) — highest of the four CDNs tested. Large PoP count doesn't translate to lowest latency.
• •Cache hit ratio: 75–88% with proper cache behavior configuration. Default CloudFront distributions often have 60–70% hit ratios due to misconfigured cache keys.
• •TTFB (cached): 40–60ms in NA. 50–70ms in EU. 60–90ms in APAC. Consistent but not class-leading.
• •Origin Shield: Additional caching layer that reduces origin load. Adds $0.0090/10K requests. Improves cache hit ratio by 5–15%.
• •Lambda@Edge: Run Node.js or Python at the edge. Higher cold start latency (50–100ms) than Fastly Compute@Edge (<1ms).
• •HTTP/3 + QUIC: Supported since 2023. Reduces connection setup time by 1 RTT — meaningful for mobile users.

CloudFront Security Features

• •AWS Shield Standard: Free L3/L4 DDoS protection. Adequate for basic attacks.
• •AWS Shield Advanced: $3,000/month — L7 DDoS, dedicated response team, cost protection (AWS credits for DDoS-driven bandwidth costs). Enterprise-only pricing.
• •AWS WAF: $5/month per web ACL + $1/rule + $0.60/million requests. Costs scale with traffic. A typical e-commerce WAF config costs $30–80/month.
• •Bot Control: $10/month + $1/million requests. Separate from WAF. Detects scrapers, credential stuffing, and automated abuse.
• •Signed URLs / Cookies: Granular access control for premium content. More flexible than Bunny.net's token auth.
• •Field-Level Encryption: Encrypt sensitive form fields at the edge before they reach your origin. Unique to CloudFront.

CloudFront Limitations

• •Pricing complexity: Per-GB bandwidth + per-request fees + Origin Shield fees + Lambda@Edge invocations + WAF rules. Bills are unpredictable.
• •Configuration complexity: Cache behaviors, origin groups, function associations — the CloudFront console has a steep learning curve.
• •No built-in image optimization — requires Lambda@Edge or a third-party service (Imgix, Cloudinary).
• •Cache invalidation: Free 1,000 invalidations/month, then $0.005/path. Cloudflare and Bunny.net offer unlimited free purges.
• •No equivalent to Cloudflare APO — no one-click full-page caching for WordPress or any CMS.
• •Support: Free plan = forums only. Developer support starts at $29/month. Business support: $100/month minimum.

Key Latency Insights

• •Bunny.net leads in 8 of 10 regions — its European infrastructure (founded in Slovenia) gives it exceptional EU performance, and its APAC expansion has closed the gap with CloudFront.
• •Cloudflare wins in Africa — the only CDN with significant PoP coverage across the continent (25+ African PoPs). Critical if you serve African markets.
• •CloudFront's 600+ PoPs don't translate to lowest latency — many are 'lightweight' PoPs with limited caching capacity. Bunny.net's 123 PoPs are all full-capacity nodes.
• •Fastly is consistently 3rd or 4th — its 88 PoPs are concentrated in NA/EU. APAC and emerging markets are weaker.
• •For SMBs with primarily NA/EU traffic (80%+ of e-commerce sites), all four CDNs deliver sub-40ms latency. The real differentiator at this scale is cache hit ratio and pricing, not raw latency.

Why Default Cache Hit Ratios Are So Low

Most CDNs, out of the box, only cache static assets with specific file extensions (.css, .js, .png, .jpg, etc.). They don't cache HTML pages, API responses, or dynamically generated content. This means every page navigation hits your origin server. For a typical content site where HTML represents 40–60% of requests, this default behavior caps your cache hit ratio at 50–65%.

The gap between 'default' and 'fully optimized' is 30–37 percentage points across all four CDNs. That gap represents the difference between a fast site and a slow one — and it's entirely within your control.

Fix 1: Normalize Query Strings

UTM parameters, tracking codes, and A/B test variants create unique cache keys for the same page. example.com/product?utm_source=google and example.com/product are treated as different objects by default. On an e-commerce site running Google Ads, this alone can reduce cache hit ratio by 15–25%.

• •Cloudflare: Page Rule → Cache Level: Ignore Query String. Or Workers: strip utm_ params before cache lookup.
• •Bunny.net: Pull Zone → General → 'Ignore Query Strings' toggle. Or selectively strip specific params via Edge Rules.
• •Fastly: VCL → bereq.url manipulation to strip tracking params before cache lookup. Requires developer.
• •CloudFront: Cache Policy → Query strings: None (or whitelist only functional params like ?size=, ?color=).

Fix 2: Cache HTML with Short TTLs + Stale-While-Revalidate

The biggest cache hit ratio gain comes from caching HTML pages — not just static assets. Most sites skip this because they fear serving stale content. The solution: short TTLs (60–300 seconds) combined with stale-while-revalidate (serve cached content while fetching fresh copy in background).

• •Cloudflare: APO handles this automatically for WordPress ($5/month). For other platforms: Cache-Control: s-maxage=120, stale-while-revalidate=86400.
• •Bunny.net: Set cache TTL to 120s per pull zone. Enable Perma-Cache for stale-while-revalidate behavior.
• •Fastly: beresp.ttl = 120s; beresp.stale_while_revalidate = 86400s; in VCL. Fastly's stale-while-revalidate is the most mature implementation.
• •CloudFront: Cache Policy with min TTL 120s. CloudFront doesn't natively support stale-while-revalidate — you need Lambda@Edge to add the header.

Fix 3: Eliminate Vary Header Chaos

The Vary response header tells the CDN to create separate cache entries for different request variants. A common misconfiguration: Vary: Accept-Encoding, Cookie. The Cookie header is unique per user — so every visitor gets a cache miss. This single header can reduce your cache hit ratio to near-zero.

• •Correct: Vary: Accept-Encoding (only vary on compression support — gzip vs brotli).
• •Remove: Vary: Cookie, Vary: User-Agent, Vary: Accept (unless you're serving different content per variant).
• •WordPress common cause: Plugins setting session cookies on every visitor. Audit cookies with chrome://settings/cookies.
• •Cloudflare APO handles this automatically — it strips problematic Vary headers for cached HTML.

Fix 4: Implement Origin Shield / Regional Caching

Without an origin shield, each CDN PoP independently requests content from your origin. If you have 100+ PoPs and content expires simultaneously, your origin gets 100+ concurrent requests for the same object. Origin Shield adds a regional cache layer: PoPs request from the shield, and only the shield requests from origin.

• •Cloudflare: Argo Tiered Cache (included in Argo at $5/month + per-GB). Reduces origin requests by 50–70%.
• •Bunny.net: Storage Zones act as origin shield. Free with any pull zone. Enable 'Origin Shield' in pull zone settings.
• •Fastly: Shielding — designate a shield PoP per origin. Free on all plans. Reduces origin requests by 60–80%.
• •CloudFront: Origin Shield — $0.0090/10K requests. Must be manually enabled per distribution. Often overlooked.

Fix 5: Separate Static and Dynamic Cache Behaviors

A single cache policy for your entire domain forces a lowest-common-denominator approach. Separate your caching strategy: aggressive caching for static assets (365-day TTL, immutable), moderate caching for HTML (120s TTL + stale-while-revalidate), and no caching for authenticated/personalized content (cart, account, checkout).

• •Static assets (/assets/*, /images/*, *.css, *.js): Cache-Control: public, max-age=31536000, immutable.
• •HTML pages: Cache-Control: public, s-maxage=120, stale-while-revalidate=86400.
• •Authenticated pages (/cart, /account, /checkout): Cache-Control: private, no-store.
• •API responses: Vary by authorization header. Cache public API endpoints (product catalog) for 60–300s.

Shopify & Shopify Plus

Shopify runs on Fastly natively — every Shopify store is already behind Fastly's CDN. You can't replace it, but you can layer Cloudflare in front as a DNS proxy for additional DDoS protection and edge caching of static assets.

Shopify Plus stores can request custom Fastly VCL configuration through Shopify's support — enabling advanced cache rules, custom headers, and edge redirects. Standard Shopify stores have no VCL access.

• •Default Shopify CDN (Fastly): Static assets cached aggressively. HTML is not cached — every page request hits Shopify's origin. Typical cache hit ratio: 50–65%.
• •Shopify + Cloudflare DNS proxy: Adds DDoS protection and can cache static assets at Cloudflare's edge (closer PoPs than Fastly for some regions). Does NOT cache Shopify HTML.
• •Shopify + Bunny.net: Can front Shopify's static assets (images, fonts) via Bunny.net pull zone. Reduces Shopify bandwidth costs and improves APAC latency for images.
• •Key limitation: You cannot cache Shopify HTML pages at a third-party CDN without breaking cart functionality. Dynamic content (cart count, logged-in state) is embedded in every page.
• •Best Shopify speed win: Focus on image optimization (Shopify auto-serves WebP but doesn't serve AVIF) and reducing app JavaScript rather than CDN swapping.

WordPress + WooCommerce

WordPress is the platform with the most CDN flexibility — and the most to gain from proper CDN configuration. Cloudflare APO is the clear winner here.

• •Cloudflare APO: Full-page edge caching for all WordPress pages. WooCommerce cart, checkout, and account pages are automatically excluded. Cache hit ratio: 95–98%. TTFB: 30–60ms.
• •Bunny.net: Manual pull zone configuration. Cache static assets and optionally HTML via edge rules. Requires cache purge on content updates (via WordPress plugin or webhook). Hit ratio: 85–90%.
• •Fastly: Overkill for most WordPress sites. No native WordPress integration. Requires VCL configuration for proper cache behavior. Only justified for high-traffic WP sites (100K+ daily visitors).
• •CloudFront: Works but requires manual cache behavior configuration. No native WP plugin. Origin Shield recommended. Complex and expensive compared to Cloudflare APO.
• •WooCommerce-specific: Cart fragments AJAX requests must bypass CDN cache. Cloudflare APO handles this automatically. All other CDNs require manual cache exclusion rules.

Headless / Jamstack / Next.js

Headless architectures (Next.js, Nuxt, Astro on Vercel/Netlify) typically include their own CDN layer. Adding a third-party CDN in front creates a 'double-CDN' scenario that can increase latency if misconfigured.

• •Vercel Edge Network: Built-in CDN with ISR (Incremental Static Regeneration). Adding Cloudflare in front can help with DDoS but may add latency for cached content.
• •Netlify CDN: Similar to Vercel — built-in CDN with atomic deploys. Third-party CDN in front is usually unnecessary.
• •Self-hosted headless (Node.js origin): Full CDN flexibility. Cloudflare or Bunny.net recommended. Cache API responses at the edge with short TTLs.
• •Best practice: If your hosting provider includes a CDN (Vercel, Netlify, Render), don't add another CDN in front. Use Cloudflare for DNS + DDoS only (DNS proxy mode without caching).

Pricing Analysis

• •Cloudflare Pro ($25/month) is unbeatable up to ~5TB/month — flat pricing with unlimited bandwidth, WAF, and DDoS included. At 10TB+ you need the Business plan ($250/month).
• •Bunny.net is cheapest at very low (<200GB) and very high (>5TB) traffic — its linear $0.01/GB pricing scales predictably. But you'll spend $10–20/month extra on Bunny Optimizer + WAF add-ons.
• •Fastly's $50/month minimum commitment makes it uneconomical below 500GB/month. At scale (5TB+), negotiated enterprise pricing can be competitive — but you need to commit annually.
• •CloudFront is the most expensive at every tier when you include WAF ($5/rule/month + per-request fees). A typical e-commerce WAF config adds $30–80/month to the CDN bill.
• •Hidden costs: Cloudflare Argo ($0.10/GB), Bunny.net Optimizer ($9.99/mo), Fastly request fees ($0.0075/10K), CloudFront Origin Shield ($0.0090/10K requests).

DDoS Protection Comparison

• •Cloudflare: Unmetered L3–L7 DDoS protection on ALL plans (including Free). Industry-leading. Absorbs attacks up to 100+ Tbps with no additional cost or bandwidth surcharges.
• •Bunny.net: Basic L3/L4 DDoS protection included. L7 protection is limited — large application-layer attacks may require manual intervention or escalation to Bunny.net's support team.
• •Fastly: L3/L4 DDoS included. L7 protection via Next-Gen WAF (Signal Sciences) — effective but adds cost. No 'unmetered' guarantee like Cloudflare.
• •CloudFront: Shield Standard (free) covers L3/L4. Shield Advanced ($3,000/month) adds L7 protection, dedicated response team, and cost protection. The price gap is staggering.

WAF (Web Application Firewall) Comparison

• •Cloudflare Pro WAF: Managed rulesets (OWASP Top 10), auto-updated, custom rules. Included in Pro plan. Blocks SQL injection, XSS, RCE, and known CVEs.
• •Bunny.net WAF: Basic WAF available as $9.99/month add-on. Covers common attack vectors but lacks the depth of Cloudflare or Fastly's rulesets.
• •Fastly Next-Gen WAF: The most advanced WAF in the CDN space. ML-powered detection, custom signals, and SmartParse technology. Best for enterprise e-commerce with complex attack surfaces.
• •CloudFront + AWS WAF: $5/web ACL/month + $1/rule/month + $0.60/million requests. Powerful but complex and expensive. Requires manual rule configuration.

Security Recommendation for E-Commerce SMBs

For SMB e-commerce sites, Cloudflare Pro ($25/month) provides the best security value by a wide margin. You get unmetered DDoS protection, a managed WAF, bot detection, and rate limiting — all included. The equivalent security stack on CloudFront (Shield Advanced + WAF + Bot Control) costs $3,100+/month. Fastly's Next-Gen WAF is excellent but typically requires a custom enterprise contract.

If you choose Bunny.net for its latency advantage, we recommend using Cloudflare as your DNS provider (free plan, proxy mode) for DDoS protection, while routing asset delivery through Bunny.net pull zones. This hybrid approach gives you Cloudflare's security + Bunny.net's latency for static assets.

Configuration Mistakes

• •Not caching HTML: The default CDN configuration only caches static assets. HTML pages — your most-requested resource — always hit the origin. Fix: Cache HTML with short TTLs + stale-while-revalidate.
• •Query string chaos: UTM parameters, fbclid, gclid, and tracking params create unique cache keys for identical content. Fix: Strip tracking params before cache lookup.
• •Vary: Cookie header: WordPress plugins and e-commerce platforms set cookies on every visitor, making every request 'unique.' Fix: Audit cookies, restrict to authenticated users only.
• •No origin shield: 100+ PoPs independently requesting the same expired content from your origin = thundering herd problem. Fix: Enable Argo Tiered Cache (Cloudflare), Storage Zones (Bunny), Shielding (Fastly), or Origin Shield (CloudFront).
• •Double-CDN without bypass rules: Putting Cloudflare in front of a Vercel/Netlify CDN without disabling Cloudflare caching = conflicting cache headers, increased latency, and stale content.
• •Forgetting mobile: Some CDNs (especially CloudFront) require Vary: Accept-Encoding to serve different compression to mobile. Misconfigured Vary headers create separate cache entries per device — halving your hit ratio.

Monitoring Mistakes

• •Not monitoring cache hit ratio: If you're not measuring CHR, you don't know if your CDN is working. Check your CDN's analytics dashboard weekly. Target: 90%+ for content sites, 85%+ for e-commerce.
• •Testing from one location: CDN performance varies by region. Test from at least 3 global locations. Use CDNPerf, Pingdom, or WebPageTest with multiple test locations.
• •Ignoring cache MISS reasons: Every CDN logs why a request was a MISS (expired, first-request, vary-mismatch, bypass-rule). Analyze MISS reasons to find fixable cache gaps.
• •Lighthouse testing without CDN: Running Lighthouse from your local machine or a single server location doesn't reflect CDN-cached performance. Test via WebPageTest from the CDN's PoP locations.
• •Not invalidating after deploys: Deploying new CSS/JS without cache purge = users getting old styles/scripts. Implement automated purge in your CI/CD pipeline.