Show search and navigation.

 

CDN Security Frequently Asked Questions

General

ClosedDoes the CDN automatically protect my site traffic against denial of service attacks?

Yes. The CDN provides protection against distributed denial of service (DDoS) attacks through its distributed nature, reverse proxy request flow, and intelligent software designed to detect and mitigate volumetric attacks.

Learn more.

ClosedDoes the CDN protect my site traffic against other security threats?

Yes. We offer a variety of services and features through which additional security measures may be applied to your site traffic.

Learn more.

HTTP Requests

ClosedWhat are the available options for securing HTTP content?

Our CDN network is designed to protect origin servers from volumetric network attacks (e.g., DDoS). Additional protection may be applied to HTTP traffic through the following services/features:

Service/Feature Protects Against ScopeIndicates how the CDN determines whether security will be applied to a request. Update Links?Indicates whether links to CDN content will require updating to support the service/feature in question. Purchased Separately

Country Filtering

Unauthorized access

Folder

No

No

Rules Engine

Unauthorized access

Request Type

No

Yes

HTTPS

Wiretapping and man-in-the-middle attacks

Origin Server

YesThe HTTPS protocol is required to secure communication between a user and the edge of our network. Additionally, you must define a CNAME record that will honor HTTPS requests.

Yes

Token-Based Authentication

Unauthorized access

Folder

Request TypeThe ability to apply Token-Based Authentication by request type requires HTTP Rules Engine.

YesA token must be appended as a query string to all requests for content secured by Token-Based Authentication.

Yes

Web Application Firewall

Application layer attacks on a customer origin server

Request Type

No

Yes

Learn more.

ClosedHow is an unauthorized request for HTTP content handled?

The response for an unauthorized request varies by service/feature.

Service/Feature Description

Country Filtering

The response for an unauthorized request is a 403 Forbidden.

Rules Engine

Deny Access Feature

The Deny Access feature generates a 403 Forbidden response.

Token Auth Feature

By default, a request denied by the Token Auth feature will generate a 403 Forbidden response. However, the Token Auth Denial Code feature may be used to generate a 301, 302, 307, 401, or 404 response instead.

HTTPS

The response for a HTTP request to a customer origin server where HTTPS has been enabled will vary according to whether the HTTP Edge Protocol option has also been enabled.

  • Enabled: An HTTP request will generate a standard response (e.g., 200 OK).
  • Disabled: An HTTP request will generate a 404 Not Found.

Token-Based Authentication

By default, an unauthorized request will generate a 403 Forbidden response. However, it can be configured to generate a 301, 302, 307, 401, or 404 response instead.

Web Application Firewall

The response for an unauthorized request is a 403 Forbidden.
ClosedMay I add a country filter to an individual file?

Yes. By default, Country Filtering may only recursively secure directories. However, Rules Engine may be configured to match requests that originate from one or more countries. It may then be configured to deny these requests.

HTTPS Requests

ClosedWhat type of requests may leverage HTTPS?

Requests that meet the following minimum requirements are capable of supporting HTTPS:

Type Minimum Requirement

Origin Server

Customer Origin

CDN Storage

URL

Edge CNAME URL

Request Type

Standard HTTP delivery

HTTPS support requires a TLS certificate to be deployed across network.

Learn more.

ClosedWhat is required to set up HTTPS?

HTTPS support requires the following:

  1. HTTPS Activation

    If HTTPS has not been activated on your account, then please contact your CDN account manager. Provide the hostname through which HTTPS traffic will flow.

  2. Customer Origin Setup

    Perform the following steps:

    1. Configure your customer origin configuration to use HTTPS.

      Enable the HTTPS Edge Protocol option on the desired customer origin server.

    2. Enable TLS 1.2 support on your web servers.

      Disable support for SSL/TLS versions older than 1.1. Requests to web servers that support older SSL/TLS versions will cause the termination of the TLS handshake and users will land on a "Your connection is not secure" web page.

  3. Edge CNAME Setup

    Create an edge CNAME that points the above hostname to the desired origin server.

  4. DNS Setup

    Once the requested TLS certificate has been deployed throughout our network, update your DNS configuration.

    • Create/update a CNAME record to point to the hostname defined in the SSL Welcome message.

Learn more.

ClosedCan I leverage an existing TLS certificate?

Yes. Contact your CDN account manager to learn how you may securely provide the TLS certificate's public key, private key, and intermediate certificate. After which, we will install that TLS certificate throughout our network.

Learn more.

Web Application Firewall

Frequently Asked Questions - Web Application Firewall

CDN Storage

ClosedWhat is the recommended approach for uploading content to CDN storage?

Please use either SFTP or rsync to upload content to CDN storage. We discourage the use of the FTP protocol as it is insecure and may result in the exposure of TCC credentials. This type of security breach may impact your production site traffic.

TCC Security

Enforcing strict security on TCC user accounts and Web Service REST API tokens is critical. Exposure of TCC credentials or authentication tokens may allow a malicious user to wreak havoc on your production site traffic.

ClosedView links to key articles on TCC security.
More Information
ClosedFrequently Asked Questions