Unfortunately, content delivery networks are not failure-proof, and attacks or hacking take place here and there. Attackers have learnt to change content and intercept user credentials with hacked CDNs, and this is a crucial question that hasn’t been exposed to the spotlight much. Today we will discuss how to configure your website to minimize possible damage, if a CDN network has been hacked.
Advantages of using CDN service
CDN network can be beneficial for both minor and large-scale websites. It boosts loading for customers, decreases loading on your server and often helps to save money. Major advantages of CDNs can be summarized in the following points:
- Closer physical location of server to end-users and faster response times.
- When popular scripts are being loaded from the biggest CDNs, they are likely to have already been cached in user’s web browser.
- In case of traffic spikes, CDN service can be instantly scaled up to handle the load.
It goes without mentioning affordable cost of CDN solutions. If a few years ago CDNs were available for big sites only, now even minor personal blogs can easily implement this service. There are many free and cheap solutions on the market.
Downsides and problems with CDN
If a CDN goes malicious, or is hacked from the outside, it’s a big problem. Since CDN services are controlled by scripts executed on the website, all content can be easily modified, and sensitive user data may also become visible. Keep in mind that CDN should be trusted just like you trust your own server.
Therefore, before you resolve to order this or that CDN network solution, ask yourself whether it’s trustworthy. You can contact with other users and read reviews to determine the reliability of possible variants.
What if the CDN gets hacked?
As any other Internet service, CDN can be hacked. Make sure that provider’s team knows security. You can either check their reputation online, or contact them and ask how to they handle security issues and establish protection. It’s more important than you think, because if a CDN breaks down, all content stored on edge servers will become inaccessible. It goes without mentioning the fact that your visitors’ personal information and your data can be easily compromised.
You can simply hope that disasters will come by, or you can take measures to prevent hacking. There’s an old trick to ensure privacy. Buy an additional domain: it will cost you as low as $10/year. Store content on both sites – the data will be easily separated. It applies to cookies, personal data and limits the exposure to client-side attacks such as XSS.
Integrity attribute can be included in script-tags that figure out the hash of a received script. This way you won’t mind if CDN tries to change the content, of if it’s hacked and someone tries to replace the script. If the script does not match the hash in user’s browser, it will simply be rejected.
Pay attention that files with the word “latest” and files without a version number are updated regularly. In this case, you cannot leverage the above-mentioned method, so you should find a specific version instead.
When you use the integrity attribute, it’s also necessary to implement crossorigin attribute by adding crossorigin=”anonymous” in the script-tag. It will stop sending of credentials along with the request, e.g. no cookies and no basic authentication will be sent.
When a CDN network decides to change the script for this or that reason, it’s good to still have your website functioning. To ensure normal work of your project, you should implement a backup solution. Then you will check whether the included script from the CDN was fully loaded, and if not, you can just load it again, but this time from the server itself. This way, you will also prevent CDN being down for any other reason.