Restricting access to your origin server


The following applies only to CDN Static and CDN Video services, it does not apply to CDN Static Push, CDN Video Push and CDN Live services.

Let's look at how you can restrict access to your origin server. In the following let's assume this CDN service:

  • Service Domain -
  • Service Identifier -
  • Origin Domain -

Please refer here for more details. Moreover let's assume that you want to allow CDN edge servers to access the Origin Domain (for pull requests) but you want to restrict others from accessing it.

Allow only requests containing X-Resource header

This section applies only to CDN Static services. All requests from our CDN edge servers contain X-Resource HTTP header similarly as in the following example of a pull request from a CDN edge server for the CDN service

X-Resource: 12345    

The number 12345 corresponds to the Service Identifier You can find Service Identifier of your CDN service on the Services/Settings page.

To allow only requests containing X-Resource HTTP header you can use the following.


RewriteEngine On
SetEnvIf X-Resource !"NUMBER" IS_CDNSUN_REQUEST="no"
RewriteCond %{ENV:IS_CDNSUN_REQUEST} "no"
RewriteRule ^.*$ - [R=403,L]


location /
    if ($http_x_resource != "NUMBER") 
        return 403;

Replace NUMBER with the number obtained from the Service Identifier of your CDN service.

Restart or reload your web server.

Test your origin server

You can use command line curl tool to test your origin web server. You should receive 200 OK response if and only if you include the X-Resource HTTP header to your request.

Request without X-Resource header


You should receive 403 Forbidden.

Request with X-Resource header

curl --header 'X-Resource: NUMBER'

You should receive 200 OK.

Replace NUMBER with the number obtained from the Service Identifier of your CDN service.

A note on 403 vs. 404

You can also return 404 Not Found response code instead of 403 Forbidden. 403 response code indicates that the content exists so it exposes some information about your content to public. Read about similar scenario here.

Use not obvious Origin Domain

Let's assume that your have the following URL Signing protected CDN URL in your website source code. 

An attacker may try to bypass the URL Signing protection by downloading the content directly from your origin. Please note that except you no one is able find out what is Origin Domain of your CDN service. However there are obvious candidates that an attacker may try such as in the following example.

In our case an attacker would succeed with the first URL because really is Origin Domain of our CDN service. So to protect your origin content it is recommended to use not obvious Origin Domain such as in the following example.

If you will not expose this information to public then it will be impossible for an attacker to find out your origin content.

Firewall your origin server

It is not exactly straightforward but doable to allow access to your origin server only from our CDN edge servers by setting up a firewall (e.g. iptables) on your origin server, please read more here.

Contact Us

 _    _     _____   __    __  
| \  / ||  |  ___|| \ \\ / // 
|  \/  ||  | ||__    \ \/ //  
| .  . ||  | ||__     \  //   
|_|\/|_||  |_____||    \//    
`-`  `-`   `-----`      `