How to defend against Account Takeovers
Learn about account takeover threats, protection strategies, and detection methods to secure your digital accounts and prevent unauthorised access.
Support FAQ
CDN SSL/TLS security is the way HTTPS is protected when a content delivery network sits between the visitor and the origin application. There are usually two encrypted conversations, not one: the browser connects to a nearby CDN edge, and the CDN separately connects to the origin. A secure design makes both halves encrypted, authenticated, observable, and governed by clear change control.
The browser only sees the edge certificate. That is why a site can appear secure to users while still having weak origin protection. If the CDN accepts an invalid origin certificate, connects to the origin over plain HTTP, or allows the origin to be reached directly from the internet, the delivery path has a gap. The goal is not just to show a lock icon. The goal is to keep confidentiality, integrity, and trust intact across the whole route.
The visitor-to-CDN leg handles the public certificate for the hostname, browser protocol negotiation, and client-facing settings such as TLS versions, cipher suites, HTTP/2, HTTP/3, and HSTS. The CDN terminates the connection at the edge so it can inspect requests, apply cache policy, run security controls, and decide whether to serve a cached response or fetch from the origin.
The CDN-to-origin leg is a separate upstream connection. This leg should also use HTTPS, and the CDN should validate that the origin certificate is valid for the requested hostname or a deliberate origin hostname. Stronger deployments may use mutual TLS, private connectivity, or signed origin headers so the origin can verify that requests really came through the approved delivery layer.
Treating these legs separately helps with troubleshooting. A user-facing certificate problem may be caused by an expired edge certificate, a missing subject alternative name, an unsupported protocol, or a redirect rule. An upstream problem may be caused by an expired origin certificate, an SNI mismatch, an origin firewall change, or a CDN mode that no longer validates the origin as intended.
Certificate coverage should match how the site is actually used. Include every public hostname that visitors request, including apex domains, www hostnames, application subdomains, and API hostnames. Wildcard certificates can simplify coverage, but they can also hide ownership problems if too many unrelated services share one certificate.
Renewal should be boring. Automated renewal is useful, but it still needs monitoring because failures often appear only near expiry. Track who owns each certificate, where private keys are stored, which systems can renew or deploy certificates, and how emergency replacement works. Expired certificates are common because responsibility is split across DNS, CDN, platform, and application teams.
Protocol settings should exclude obsolete TLS versions and weak ciphers unless there is a clearly documented legacy requirement. Modern settings reduce downgrade risk and usually improve performance through better protocol support. HSTS can prevent accidental HTTP use, but it must be introduced carefully. Once browsers remember a strict HSTS policy, rollback is harder if a hostname or certificate is misconfigured.
Redirects also matter. A simple HTTP-to-HTTPS redirect at the edge is usually easier to reason about than competing redirects at the CDN, load balancer, and application. Mixed redirect ownership can create loops, preserve the wrong host, or lose path and query information during login and checkout flows.
An origin that accepts direct public traffic can bypass the CDN's TLS, cache, bot, WAF, and rate-limit controls. Direct access also makes incident response harder because some requests follow the intended path and others do not. Restrict origin access with firewall rules, private network paths, authenticated origin pulls, mutual TLS, or another control that proves the request came through the approved layer.
Do not rely on the origin hostname being obscure. Hostnames leak through DNS records, certificate transparency logs, referrers, old documentation, and scanning. A better rule is that the origin should be safe even if its address is known.
Origin certificate validation should be strict. Self-signed or privately issued certificates can be acceptable in controlled environments, but the CDN must be configured to trust the issuing authority deliberately. Blindly accepting any certificate removes a major part of TLS protection.
Start with a hostname inventory. For each hostname, record the edge certificate, origin target, origin certificate, redirect behavior, HSTS policy, and whether direct origin access is blocked. Include old hostnames and temporary hostnames because forgotten records often become the weakest path.
Then test both legs. From a normal network, confirm that HTTP redirects to HTTPS, the public certificate is valid, and pages load without mixed content. From the CDN or an approved test path, confirm that the origin certificate validates and that the correct SNI value is used. From an unapproved network, confirm that direct origin access fails or returns only a safe response.
Use logs to prove the request path. Edge logs should show hostname, TLS protocol, cache status, rule actions, origin status, and request identifiers. Origin logs should show that normal production traffic comes from expected CDN addresses or authenticated connections. Synthetic tests should include multiple regions because certificate and routing problems can be regional.
The most common misconception is that "HTTPS is enabled" means the whole path is secure. It may only mean the browser-to-edge leg is encrypted. Another common problem is a relaxed upstream mode that encrypts the connection but does not validate the origin certificate. That can protect against passive sniffing while still allowing active interception.
Certificate name mismatches are also frequent. The visitor requests one hostname, the CDN forwards with another host header, and the origin presents a certificate that only matches one of them. This often appears during migrations, multi-origin setups, or disaster recovery tests.
Operational failures include expired certificates, HSTS applied before all subdomains are ready, redirect loops, missing intermediate certificates, legacy clients blocked unexpectedly, and inconsistent settings between production and backup origins. Security failures include exposed origins, weak protocol support, shared private keys, and unclear ownership of certificate rotation.
CDN TLS changes are production security changes, even when no application code is deployed. They should have review, audit history, rollback steps, and monitoring. Dashboards should alert on certificate expiry, TLS handshake errors, origin validation failures, unexpected direct-origin traffic, and sudden changes in protocol mix.
During incidents, separate the two TLS legs before changing settings. Lowering origin validation or disabling HTTPS may restore traffic quickly, but it can also create a hidden security regression. A better runbook identifies the exact failing leg, applies the smallest temporary workaround, and records the follow-up needed to return to the intended policy.
Well-run CDN SSL/TLS security gives users encrypted access, gives operators a trustworthy request path, and gives security teams a defensible boundary around the origin. The details are technical, but the principle is simple: every hop that carries production traffic should be protected on purpose, not by assumption.
Learn about account takeover threats, protection strategies, and detection methods to secure your digital accounts and prevent unauthorised access.
An overview of Account Takeover Attacks
A practical reference for common AI crawler user agents, operators, purposes, and recommended Peakhour bot-management actions.
AI For Cybersecurity explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
AI Image Generation explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
AI Misuse explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
© PEAKHOUR.IO PTY LTD 2026 ABN 76 619 930 826 All rights reserved.