The CDN Link That Wouldn't Die
Failure Modes
A deleted image is not really deleted if a direct CDN URL still serves it. AI image products need deletion to cover every copy path.
- Date
- July 3, 2026
- Author
- Unexposed

The most embarrassing privacy failure is sometimes not a breach. It is a URL.
A user deletes an image from your app. The dashboard no longer shows it. The database row is gone, or marked deleted, or wearing whatever little tombstone flag your ORM prefers. Everyone feels good for about four seconds.
Then someone opens the old CDN link and the image still loads.
This happens because product deletion and asset deletion are different jobs. The UI can remove the object from the user’s view while a storage bucket, CDN edge cache, thumbnail service, queue retry folder, or backup path still has a copy. From the user’s perspective, deletion meant “stop having this.” From the system’s perspective, deletion meant “stop rendering the normal page.”
AI image products are especially vulnerable because generated outputs are often served as files. They may be cached for performance. They may have thumbnails. They may be stored under predictable or long-lived paths. They may be copied into moderation, analytics, or support tooling. A direct link can outlive the interface like a tiny cursed souvenir.
The fix starts with language. Do not promise deletion if the promise only covers the app view. Say what actually happens, then make the implementation catch up. If deletion invalidates CDN caches, deletes source files, removes derivatives, and expires signed URLs, great. If backups retain data for a fixed period, say that too.
Technically, the safer path is to avoid public permanent URLs for private outputs. Use signed URLs with short expiries. Keep object keys unguessable. Track derivatives. Build deletion paths that include source, output, thumbnail, cache, and queue residue. Test deletion like a user would: copy the URL before deleting, delete the image, then try the URL again.
This is not glamorous engineering. No one is going to put “cache invalidation actually respects privacy promises” on a launch banner, although honestly I would respect the confidence. But this is the stuff trust is made of.
When a user deletes an AI-generated image, the product should not make them play whack-a-mole with infrastructure leftovers. The link should die with the promise.
Further reading: Why “Delete My Uploads” needs to be verifiable, Why no hosted gallery is a product feature, and Unexposed data storage.