Show search and navigation.

 

CDN Security Frequently Asked Questions

Applies To:
HTTP LargeThis platform has been optimized to cache and deliver static content (e.g., HTML, CSS, JavaScript, ISO, multimedia, and software downloads, etc.) over HTTP or HTTPS.
HTTP SmallLegacy. If you are currently serving traffic over this platform, then you may continue to do so. However, we recommend that you serve your traffic over our more robust HTTP Large platform.
ADNThe Application Delivery Network platform has been optimized to deliver dynamic content (e.g., login credentials, account information, etc.) over HTTP or HTTPS. Typically, user-specific and database-driven content are served over this platform.

General

ClosedDoes the CDN automatically protect my site traffic against denial of service attacks?

Yes. The CDN provides protection against distributed denial of service (DDoS) attacks through its distributed nature, reverse proxy request flow, and intelligent software designed to detect and mitigate volumetric attacks.

Learn more.

ClosedDoes the CDN protect my site traffic against other security threats?

Yes. We offer a variety of services and features through which additional security measures may be applied to your site traffic.

Learn more.

HTTP Requests

ClosedWhat are the available options for securing HTTP content?

Our CDN network is designed to protect origin servers from volumetric network attacks (e.g., DDoS). Additional protection may be applied to HTTP traffic through the following services/features:

Service/Feature Protects Against ScopeIndicates how the CDN determines whether security will be applied to a request. Update Links?Indicates whether links to CDN content will require updating to support the service/feature in question. Purchased Separately

Country Filtering

Unauthorized access

Folder

No

No

Rules Engine

Unauthorized access

Request Type

No

Yes

HTTPS

Wiretapping and man-in-the-middle attacks

Origin Server

YesThe HTTPS protocol is required to secure communication between a user and the edge of our network. Additionally, you must define a CNAME record that will honor HTTPS requests.

Yes

Origin Shield

Denial of service attacks and spikes in traffic to a customer origin server

Customer Origin Server

No

Yes

Token-Based Authentication

Unauthorized access

Folder

Request TypeThe ability to apply Token-Based Authentication by request type requires HTTP Rules Engine.

YesA token must be appended as a query string to all requests for content secured by Token-Based Authentication.

Yes

Web Application Firewall

Application layer attacks on a customer origin server

Request Type

No

Yes

Learn more.

ClosedHow is an unauthorized request for HTTP content handled?

The response for an unauthorized request varies by service/feature.

Service/Feature Description

Country Filtering

The response for an unauthorized request is a 403 Forbidden.

Rules Engine

Deny Access Feature

The Deny Access feature generates a 403 Forbidden response.

Token Auth Feature

By default, a request denied by the Token Auth feature will generate a 403 Forbidden response. However, the Token Auth Denial Code feature may be used to generate a 301, 302, 307, 401, or 404 response instead.

HTTPS

The response for a HTTP request is determined by whether an origin entry has been configured to support it.

  • If at least one origin entry has been configured to use either HTTP Only or Match Client mode, then an HTTP request will generate a standard response (e.g., 200 OK).
  • If no origin entries within your customer origin group have been configured to use either HTTP Only or Match Client mode, then an HTTP request will generate a 404 Not Found response.

Origin Shield

A standard HTTP response is always provided.

Token-Based Authentication

By default, an unauthorized request will generate a 403 Forbidden response. However, it can be configured to generate a 301, 302, 307, 401, or 404 response instead.

Web Application Firewall

The response for an unauthorized request is a 403 Forbidden.
ClosedMay I add a country filter to an individual file?

Yes. By default, Country Filtering may only recursively secure directories. However, Rules Engine may be configured to match requests that originate from one or more countries. It may then be configured to deny these requests.

ClosedCan a custom security solution be applied to HTTP content?

Yes. We have a team of engineers that specialize in creating custom CDN configurations. Please consult with your CDN account manager to learn whether a custom CDN configuration can achieve the desired CDN security policy.

HTTPS Requests

ClosedWhat type of requests may leverage HTTPS?

Requests that meet the following minimum requirements are capable of supporting HTTPS:

Type Minimum Requirement

Origin Server

Customer Origin

CDN Storage

URL

Edge CNAME URL

Request Type

Standard HTTP delivery

HTTPS support requires a TLS certificate to be deployed across network.

Learn more.

ClosedWhat is required to set up HTTPS?

HTTPS support requires the following:

  1. HTTPS Activation

    If HTTPS has not been activated on your account, then please contact your CDN account manager.

  2. TLS Certificate

    Prepare for HTTPS delivery by requesting a TLS certificate through Certificate Provisioning System.

  3. Customer Origin Setup

    Perform the following steps:

    1. Configure your customer origin configuration to use HTTPS. For each desired origin entry within your customer origin group, set the Protocol Type option to HTTPS Only.

    2. Enable TLS 1.2 support on your web servers.

      A recommended best practice is to disable support for SSL/TLS versions older than 1.1.

  4. Edge CNAME Setup

    Create an edge CNAME that points the above hostname to the desired origin server.

  5. DNS Setup

    Once the requested TLS certificate has been deployed throughout our network, update your DNS configuration. Create/update a CNAME record to point a SAN to the certificate's target CNAMEIdentifies a system-defined CNAME record through which HTTPS requests will be routed. You must update your DNS configuration to point a CNAME record to this target CNAME..

ClosedCan I leverage an existing TLS certificate?

Yes. Contact your CDN account manager to learn how you may securely provide the TLS certificate's public key, private key, and intermediate certificate. After which, we will install that TLS certificate throughout our network.

Learn more.

Web Application Firewall

Frequently Asked Questions - Web Application Firewall

CDN Storage

ClosedWhat is the recommended approach for uploading content to CDN storage?

Please use either SFTP or rsync to upload content to CDN storage. We discourage the use of the FTP protocol as it is insecure and may result in the exposure of MCC credentials. This type of security breach may impact your production site traffic.

MCC Security

Enforcing strict security on MCC user accounts and Web Service REST API tokens is critical. Exposure of MCC credentials or authentication tokens may allow a malicious user to wreak havoc on your production site traffic.

ClosedView links to key articles on MCC security.
More Information
ClosedFrequently Asked Questions