Menu
Working on a major financial company's website, we tend to shy away from using the CDN-hosted versions of the jQuery library used throughout our site because of "security concerns".
I'm assuming (although I've never had it fully explained) that these concerns relate to potential physical security threats through the risk of code being compromised on Google's or Microsoft's servers, reputation risks through those CDN networks becoming unavailable (thereby rendering the functionality on our site useless) and any other inherent risks that might arise from these situations.
My question is - how valid are these sorts of security concerns and what might be done to mitigate any security risks found on CDN-hosted networks?
673
By ensuring you secure access by keeping your login credentials safe, leveraging token authentication to protect access to your content, deploying hotlink protection to save on bandwidth costs, and configuring an SSL certificate, you can ensure your CDN, its contents, and your users are secure.
What Is CDN Security? CDN security protects against people who want to interfere with your website's users. By enabling safer, more secure content delivery through your network, you can enhance the overall experience of visiting your website.
A CDN sits between an organization's web servers and outside users. This makes CDNs ideal for preventing known security threats before they reach an organization's assets. A common way to do this is by using proxy rules to prevent common cyberattack techniques such as request smuggling.
What Is a CDN and How Does it Work? A content delivery network is a distributed group of servers that work together to provide fast delivery of internet content. Using a CDN allows for the quick transfer of assets needed to properly load your internet content such as HTML pages, javascript files, images, and videos.
If you're only using them as JavaScript includes, and as JavaScript is only client side, it potentially has access to anything and everything that gets rendered as XHTML through the DOM. This would be based on if the CDN got hacked and the JavaScript you were including got altered maliciously. See How does Google's javascript API get around the cross-domain security in AJAX for info on JavaScript being used cross-domain.
As others have said, it simply isn't worth the risk considering the almost zero advantages. JavaScript libraries are generally too small to matter about saving server space/bandwidth/access speeds/etc...
176
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
