What it is
CDN SSL/TLS security wraps your website traffic in encryption at the CDN edge and all the way back to your origin. The CDN sits between visitors and your servers; done right, it stops eavesdropping, tampering, and spoofed look-alike pages while keeping your site fast. For a plain-English walkthrough, see our CDN SSL/TLS guide.
Why it matters
-
Privacy & integrity: attackers can’t read or alter what visitors see.
-
Trust: the browser padlock + valid cert proves they reached your site.
-
Resilience: modern TLS (1.3) with a CDN improves performance and uptime.
How it works (30-second tour)
-
Edge TLS: the CDN presents a certificate for your domain to visitors.
-
Origin TLS: the CDN connects to your server over HTTPS, validating your origin cert (ideally strict verification or mTLS).
-
Extras: HSTS, OCSP stapling, HTTP/2/3, and auto-renewed certs tighten security and speed.
Common pitfalls (and quick fixes)
-
Edge-only HTTPS: Traffic edge→origin left on HTTP. Fix: require “Full/Strict” TLS to origin.
-
Expired/mismatched certs: Wrong hostname or chain. Fix: automate issuance; monitor expiry.
-
Mixed content warnings: HTTP images/scripts on HTTPS pages. Fix: load everything via HTTPS.
-
Blocked origin: Firewall doesn’t allow CDN IPs. Fix: allowlist CDN ranges or use tunnels.
Safe setup checklist
-
Enable HTTPS at the CDN and auto-issue certs for all hostnames.
-
Turn on TLS 1.3, modern ciphers, and OCSP stapling.
-
Enforce HTTPS redirects and HSTS (test first, then consider preload).
-
Set CDN→Origin to Strict HTTPS (validate origin cert or use mTLS).
-
Monitor cert health and rotate keys on a schedule.