CDN Security
25 Mar 2019

Securing Access to your CDN Content

Securing access to your CDN content is a requirement every website operator may need to consider at some point. Depending on the nature of the material you provide, you may not want to share it with unauthorized parties. In other instances, you might need to protect your digital rights, or there may be some other business case that requires you to limit or restrict access to the information you store on a Content Delivery Network (CDN).

There are various ways to protect and secure your CDN content. As with any other form of data security, two components work hand in hand safeguarding your information – authentication and access control. People often confuse these terms as they are both synonymous with data security. However, although they are similar and both equally important, they perform separate but vital roles in securing your data.

Authentication is the process of verifying the identity of an individual or service before granting them access to a system. The usual username and password combination is probably the most common. Access control, on the other hand, is the process that determines the rights the user or service has once they have authenticated and gained entry to the system. Depending on the role assigned to the identity, the user or service has particular rights. For example, a superuser or administrator may be able to create and delete data, while a standard user may only be able to view it.

When it comes to protecting the information you store on a CDN, authentication and access control both play a vital role in protecting your data. Typically, CDNs require some form of authentication before they allow you access. In some instances, they may even have Multi-Factor Authentication (MFA) where you need to provide a password and another authentication factor like a One Time Pin (OTP). The first step in securing access to your CDN content is to ensure you keep your authentication credentials safe. They are effectively the keys to your CDN store, and anyone with access to these credentials can compromise your CDN configuration and gain unauthorized access to your data.

Token Authentication

Token authentication is a mechanism that gives CDN content owners the ability to prevent their CDN from serving digital assets to unauthorized clients. The primary reason to use this security measure is to prevent other websites from using your content without your permission. It also helps to keep your CDN costs down as it limits the amount of bandwidth consumed as you manage which sites, services, and users can access your data. When you enable token authentication on your CDN, incoming requests are authenticated by the CDN edge server before the CDN delivers the content.

By requiring requests that access your CDN content to contain a token value that includes encoded information about the requester, token authentication verifies that a trusted site has generated the request received by your CDN. If the encoded data in the token matches the authentication configuration of the CDN, the content is served to the requesting service. If there is no match, your CDN then denies access.  

Typically, token authentication allows you to set up and configure various parameters. This functionality gives you the flexibility you need to tailor your authentication mechanism to your particular business case. For example, you could limit access by country or geographic location, only allow requests that meet a specific URL path, or restrict access to particular requesters via host headers. You can also enable or deny access to a specific referrer, IP address, or protocol. Token authentication also gives you the ability to assign an expiration date ensuring that a particular link to your CDN is only valid for a set period.

Hotlink Protection

Another feature that aids in securing access to your CDN content is hotlink protection. Like token authentication, it protects your bandwidth by preventing other domains from linking to the content you store on your CDN. By securing access to your CDN content with hotlink protection, you effectively prevent other websites from using an <img> or similar HTML tag to access your proprietary content. This security measure protects your bandwidth as it prevents other sites from displaying images on their web pages that are rendered directly by your CDN.

CDNs typically allow you to enable hotlink protection via the user console that manages your CDN service. Using this interface, you can specify the domain you wish to protect, block direct access to specific file extensions, and configure exceptions that allow direct requests.

Although hotlink protection helps in securing access to your CDN content, it does have a slight impact on your Search Engine Optimization. This security measure does not limit web crawlers from indexing your website, but it prevents your images from being displayed on sites such as Google Image Search and Pinterest. By giving your images an alt attribute, you can still ensure the relevant content gets crawled and indexed. However, people that search for specific images will not be able to locate them unless they visit your site directly.

SSL/TLS Encryption

Although encrypting your data does not necessarily control access to your CDN content, it is a good practice to deploy an SSL certificate when you configure your CDN service. Not only does this security measure ensure your site ranks higher in search results, but it also protects your site visitors from attacks that have the potential to steal their login credentials. When you leverage a CDN to improve the performance of your website, you need to configure an additional certificate for the content you store on the service. As visitors will receive dynamic content delivered by your origin server and static content from your CDN, configuring SSL on your CDN ensures they receive no browser warnings that some content is not encrypted.

Securing Access to Your CDN Content Requires a Layered Approach

As with any other security strategy you configure to protect your information, securing access to your CDN content requires a layered approach. One measure alone is not enough to protect your data. By ensuring you secure access by keeping your login credentials safe, leveraging token authentication to protect access to your content, deploying hotlink protection to save on bandwidth costs, and configuring an SSL certificate, you can ensure your CDN, its contents, and your users are secure.