21

Content Delivery Networks (CDNs) are well known to speed up the performance of a website, but they create the obvious security risks if someone were to change the code that resides on the CDN.

  1. What are the security risks of a CDN?

  2. Is there content I shouldn't serve on a CDN (e.g. javascript, raw unwrapped json results)?

  3. If I serve javascript from a CDN, are there technical issues I could run into? (e.g. using an iFrame vs script/src and 3rd party cookies?)

  4. Are there special concerns regarding HTTPS/SSL connections?

  5. What information can a CDN obtain about my site (e.g. via referrer headers)?

makerofthings7
  • 50,090
  • 54
  • 250
  • 536

3 Answers3

6
  1. Security risks:
    1. Any risks that would be present on your own site.
    2. Any risks relevant to a 3rd party site for the data you have given them.
    3. Information may persist longer than expected.
  2. Anything private or related to a single session shouldn't be served via a CDN -- not that I've ever heard of that happening. Anything static and non-private should be fine, including code, jscript, json data, etc.
  3. Yes, you might run into issues serving scripts from a CDN. You should determine what issues you face via testing. However, javascript typically operates on almost anything that is part of the browser window regardless of the source domain (hence so many attack vectors and facebook ads).
  4. No particularly special concerns about HTTPS. The CDN should have its own certificate and provide SSL service.
  5. CDNs can determine pages visited on your site. They can determine more if you point to them using the same domain as your website (cookie overlap). That's why you often see domains like 'example-static.com' instead of 'static.example.com' -- it keeps *.example.com cookies private.
Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • RE #4: A minor risk is that if the SSL Certificate of the CDN is not recognized by the client some parts of your site will suddenly not work for some clients. (Happened to me. Was hard to debug.) – Angelo Fuchs Feb 19 '16 at 10:05
2

It's possible for a CDN to track users using an ETAG, though I don't know of any CDNs who do this (I haven't tested)

A unique value can be generated for each new request, and repeated anytime it is requesting a refresh.

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
2

The only problem is that if CDN is compromised, hackers can steal visitors' cookie with a modified JS file, because that JS will be executed in YOUR website. That's all.

In general, CDN does not use cookie (the CDN subdomain is free from cookies). About SSL session, that subdomain uses another SSL session. No problem at all.

jcisio
  • 127
  • 1
  • 4