Measured in your browserWe advise on speed. We practice it.Loaded just now · real numbers from this visit, not a lab score.
Page loaded
First byte
DOM ready
First paint
Largest paint
DNS lookup
TLS handshake
Transferred
Saved by compression
Requests

Most CDN security incidents are not exotic. They are default settings nobody changed: an origin reachable directly, TLS terminating on old protocols, a WAF in logging mode forever. This is the baseline — the configuration floor before any traffic goes live.

TLS: terminate it properly

Minimum protocol TLS 1.2, with 1.3 enabled — every current edge supports both; legacy protocol support is a checkbox someone forgot. Redirect all HTTP to HTTPS at the edge, then set HSTS with a short max-age first (a day), raising it to six months once you have confirmed no subdomain breaks. Confirm certificate auto-renewal is on and alerting exists for expiry: expired edge certificates remain a leading cause of self-inflicted outages.

Cloak the origin

A CDN protects nothing if attackers can reach your origin directly. Three layers, cheapest first: restrict origin ingress to the provider’s published IP ranges (subscribe to their change feed — ranges rotate); require a shared-secret header injected at the edge and verified at the origin, so even a leaked origin IP refuses non-CDN traffic; and rename the origin hostname to something unguessable that never appears in DNS history. Test the cloak: request the origin IP directly — the correct result is a refusal, not your homepage.

WAF: start in blocking mode for the boring rules

Managed core rulesets (SQL injection, XSS, known CVE signatures) generate near-zero false positives on modern applications; run them in blocking mode from day one rather than parking the whole WAF in “log only” and forgetting it. Custom rules for your application start in log mode for a week, then graduate. Review the WAF log weekly for the first month — the rules you tune in week two are the ones that would have paged you in month six.

Rate limits as circuit breakers

Two limits cover most abuse: a per-IP request ceiling on login, search, and API paths (start generous — 10× your heaviest legitimate user — and tighten with data), and a global requests-per-second alarm that pages you before your origin autoscaling bill does. Bot management beyond this is a product decision, not a baseline; buy it when scraping or credential stuffing shows up in the logs, and the logs are why the next item exists.

Log now, investigate later

Enable full edge access logs with client IP, TLS version, WAF verdict, and cache status, delivered to storage you control — not just the provider dashboard with its 7–30 day retention. Security investigations reconstruct timelines; a timeline you did not record cannot be reconstructed. Edge logs are also your billing audit and your hit-ratio ground truth, so the same setting pays three times.

The whole baseline is a day of work on any major provider. Nothing here requires premium tiers — which is precisely why its absence is a configuration decision, not a budget one.

Get the free assessmentMore analysis