CDN security rarely fails dramatically. It decays: a WAF exception added during an incident and never removed, a rule disabled “temporarily,” a subdomain launched outside the CDN, an API token from an employee who left. Each change was reasonable; the sum is an estate nobody fully knows. The countermeasure is a quarterly audit — ten checks, half a day, run empirically from the outside rather than by re-reading configs and nodding.
Why drift, not failure, is the enemy
The audit’s premise is that the configuration in the dashboard and the protection actually delivered diverge over time, and only testing reveals the gap. So each check below is phrased as a verification, not a review: request the thing, scan the estate, compare against last quarter. The other premise is scope honesty — the audit covers everything the CDN fronts and everything it should front but does not, because the forgotten hostname outside the edge is a more common breach path than any misconfigured rule inside it. Keep the results in one document per quarter; the diffs quarter-to-quarter are more informative than any single run.
The perimeter checks: origin, DNS, TLS
First, origin exposure: from a network unrelated to your infrastructure, request your site directly against each origin IP with the production Host header. The right answer is refusal; content means the bypass path is open and the fix is in origin protection. Second, DNS estate: enumerate the zone and check every record — which hostnames resolve to the CDN, which bypass it, and which point at infrastructure that no longer exists, because a CNAME to a decommissioned service is a subdomain-takeover invitation. Compare against last quarter’s list; new unproxied hostnames are the drift you are hunting. Third, TLS from outside: protocol floor still TLS 1.2 or better, full chain served in order, certificate days-to-expiry and — more important — proof the renewal automation ran recently, per certificate handling. Ten minutes with an external scanner covers all three and produces evidence, not impressions.
The rules checks: WAF, rate limits, bots, geo
Fourth, the WAF exception register: read every exception aloud with its justification, and retire the ones whose reason has expired — the incident is over, the application was fixed, the path no longer exists. An exception without a written reason fails the audit by definition. Fifth, enforcement reality: replay a small attack-payload suite against production paths and confirm blocks still block — ruleset updates and platform migrations both silently change behaviour, which is why the regression suite from WAF tuning belongs in the audit. Sixth, rate limits and bot rules: pull a week of limited-and-challenged counts per rule; a rule matching zero for a quarter is either obsolete or broken, and both deserve a look. Seventh, geo rules: confirm the legal list still matches the configured codes and sample the denial logs for obvious misfires.
The hygiene checks: access, tokens, logs
Eighth, human access: the list of accounts that can change CDN configuration, checked against the current team, with multi-factor enforced and role scopes still appropriate — a leaver with a live login is a finding, and so is the shared “admin@” account that predates everyone. Ninth, machine credentials: API tokens and their scopes, purge keys, and the signing secrets behind signed URLs — each with a rotation date inside your policy window; a token created three years ago with full-zone scope for a script that only needed purge is the classic finding. Tenth, telemetry: confirm security-relevant logs actually arrive wherever they should (edge logs, WAF events, rate-limit hits) and that someone would be alerted by the alarms you believe exist — fire a test event and watch it land, because logging pipelines fail silently and an audit is the cheapest place to discover it.
Running it: evidence, owners, cadence
Make the audit boringly repeatable: a fixed checklist in version control, each check with a named owner, an evidence link (scan output, screenshot, log sample) and one of three verdicts — pass, finding, accepted-risk with expiry date. Findings get tickets with owners; accepted risks get re-accepted explicitly each quarter or they escalate, which is what stops “temporary” from meaning forever. Timebox the whole exercise to half a day — an audit that takes a week happens once and never again — and automate the empirical checks over time (the origin probe, the TLS scan, the replay suite) so the quarterly session becomes reading results rather than gathering them. Cadence matters more than depth: four honest half-days a year beat one heroic annual review, because drift compounds and cheap catches are early catches. The baseline the audit measures against is the one you built in the CDN security baseline.
