Yes. The CDN provides protection against distributed denial of service (DDoS) attacks through its distributed nature, reverse proxy request flow, and intelligent software designed to detect and mitigate volumetric attacks.
Yes. We offer a variety of services and features through which additional security measures may be applied to your site traffic.
Our CDN network is designed to protect origin servers from volumetric network attacks (e.g., DDoS). Additional protection may be applied to HTTP traffic through the following services/features:
Service/Feature | Protects Against | ScopeIndicates how the CDN determines whether security will be applied to a request. | Update Links?Indicates whether links to CDN content will require updating to support the service/feature in question. | Purchased Separately |
---|---|---|---|---|
Unauthorized access |
Folder |
No |
No |
|
Unauthorized access |
Request Type |
No |
Yes |
|
Wiretapping and man-in-the-middle attacks |
Origin Server |
Yes |
||
Denial of service attacks and spikes in traffic to a customer origin server |
Customer Origin Server |
No |
Yes |
|
Unauthorized access |
Folder |
Yes |
||
Application layer attacks on a customer origin server |
Request Type |
No |
Yes |
The response for an unauthorized request varies by service/feature.
Service/Feature | Description |
---|---|
The response for an unauthorized request is a 403 Forbidden. |
|
Deny Access Feature The Deny Access feature generates a 403 Forbidden response. Token Auth Feature By default, a request denied by the Token Auth feature will generate a 403 Forbidden response. However, the Token Auth Denial Code feature may be used to generate a 301, 302, 307, 401, or 404 response instead. |
|
The response for a HTTP request is determined by whether an origin entry has been configured to support it.
|
|
A standard HTTP response is always provided. |
|
By default, an unauthorized request will generate a 403 Forbidden response. However, it can be configured to generate a 301, 302, 307, 401, or 404 response instead. |
|
The response for an unauthorized request is a 403 Forbidden. |
Yes. By default, Country Filtering may only recursively secure directories. However, Rules Engine may be configured to match requests that originate from one or more countries. It may then be configured to deny these requests.
Requests that meet the following minimum requirements are capable of supporting HTTPS:
Type | Minimum Requirement |
---|---|
Origin Server |
Customer Origin CDN Storage |
URL |
Edge CNAME URL |
Request Type |
Standard HTTP delivery |
HTTPS support requires a TLS certificate to be deployed across network.
HTTPS support requires the following:
HTTPS Activation
If HTTPS has not been activated on your account, then please contact your CDN account manager.
TLS Certificate
Prepare for HTTPS delivery by requesting a TLS certificate
Customer Origin Setup
Perform the following steps:
Configure your customer origin configuration to use HTTPS.
Enable TLS 1.2 support on your web servers.
A recommended best practice is to disable support for SSL/TLS versions older than 1.1.
Edge CNAME Setup
Create an edge CNAME that points the above hostname to the desired origin server.
DNS Setup
Once the requested TLS certificate has been deployed throughout our network, update your DNS configuration.
Yes. Contact your CDN account manager to learn how you may securely provide the TLS certificate's public key, private key, and intermediate certificate. After which, we will install that TLS certificate throughout our network.
Frequently Asked Questions - Web Application Firewall
Enforcing strict security on MCC user accounts and Web Service REST API tokens is critical. Exposure of MCC credentials or authentication tokens may allow a malicious user to wreak havoc on your production site traffic.