Measured in your browserWe advise on speed. We practice it.Loaded just now · real numbers from this visit, not a lab score.
Page loaded
First byte
DOM ready
First paint
Largest paint
DNS lookup
TLS handshake
Transferred
Saved by compression
Requests

Every edge security control shares one bypass: talk to the origin directly. If your origin answers the internet, the WAF, the bot layer and the DDoS shield are all optional equipment for anyone who finds its address, and addresses leak: DNS history, certificate transparency logs, verbose errors, misconfigured subdomains.

The exposure, concretely

Attackers enumerate origin candidates from certificate-transparency records (every cert you ever issued is public), historical DNS data, and infrastructure fingerprinting, then test whether the app answers without its edge. When it does, they inherit a WAF-free, rate-limit-free, logging-diminished attack surface, plus the ability to volumetrically attack an origin sized for shielded traffic. Origin exposure quietly converts your entire edge security spend into perimeter decoration.

The control ladder

Ascending strength: firewall allowlists of the CDN’s published fetch ranges (workable, brittle as ranges evolve, and any customer of the same CDN may share those ranges); a shared-secret header injected by the edge and required by origin (cheap, effective against casual discovery, a static credential in transit); mutual TLS, where the edge presents a client certificate your origin verifies (cryptographic origin-side proof of who is fetching, the current standard for serious estates); and private connectivity, origin unreachable from the internet at all, reached via private link or tunnel from the provider. Combine layers; they fail differently.

A structural note that elevates this from checklist to architecture: origin protection is where the zero-trust vocabulary meets delivery infrastructure honestly. The origin should not trust network position (public unreachability helps but is not identity) and should verify every fetch cryptographically, which is exactly what mTLS provides and what private-link topologies complete. The estates furthest along treat their CDN as just another workload identity in a uniform policy: certificates issued from the same PKI, rotated by the same automation, logged into the same audit stream as service-to-service traffic. Delivery stops being a special snowflake at the security boundary, and the back door stops being a door.

Operational realities

mTLS demands certificate lifecycle discipline on both sides, rotation, revocation, monitoring expiry like the outage it can cause. Multi-CDN complicates everything: each provider’s ranges, headers or client certs must be authorized, and your origin policy becomes the union (audit it per provider exit, too, so departed vendors lose access, a step the Edgio winter caught estates skipping). And keep health-check and operational paths inside the same controls; the forgotten monitoring endpoint is a classic re-exposure.

In practice

This week: test your own bypass, fetch the origin directly from an external network and see what answers. Then climb the ladder to at least edge-injected secrets, with mTLS as the standing target for anything security-relevant, and schedule the certificate-rotation rehearsal that mTLS estates owe themselves. The edge can only protect traffic that has no way around it.

Origin-exposure tests open every security engagement we run. A dismaying share of them succeed on the first try.

Get the free assessmentMore analysis