Guides

Security Guide

How to Hide and Protect Your Origin Server

A CDN or reverse proxy is only a useful security boundary if attackers cannot bypass it. Build a deliberate path from the public edge to a private, monitored origin.

Putting a CDN, WAF, or reverse proxy in front of an application does not automatically hide the server behind it. The origin may still be discoverable through old DNS records, certificate transparency data, error messages, mail infrastructure, development hosts, direct IP access, or a forgotten API hostname. If an attacker can reach the origin directly, they can often bypass edge rate limits, bot controls, caching rules, and geographic policy.

Origin protection is therefore a routing and trust problem. The goal is to make the intended edge or private gateway the only practical path to the application, while keeping an authenticated administrative path for operators and a tested recovery path for incidents.

Model the exposure first

Create a complete map of public and private entry points:

  • Application, API, upload, image, WebSocket, and legacy hostnames.
  • IPv4 and IPv6 addresses, load balancers, cloud interfaces, and origin ports.
  • DNS records, aliases, wildcard records, health checks, and monitoring probes.
  • Certificates and subdomains that may reveal historical names.
  • Administrative interfaces, staging systems, and partner callbacks.
  • Outbound dependencies that must remain available after firewall changes.

Assume that an IP seen in an old DNS record is compromised. Do not treat a secret hostname as a control. Ask what happens if an attacker sends a request directly to the address with the expected Host header, with an unexpected host, over IPv6, or through a different port.

A hidden IP is not an access policy

DNS cleanup reduces discovery, but only network and application controls prevent direct access. Combine address management, firewall rules, authenticated edge connections, and origin-side validation.

Build the protected path

1. Make public DNS point to the edge

Publish customer-facing records for the edge or gateway, not the origin address. Remove stale records and aliases, including records for old environments that share infrastructure. Keep internal names in private DNS where possible. Review DNS history and certificate inventories for previous exposure, then rotate the origin address if it was public and cannot be confidently forgotten.

Do not confuse DNS TTL with protection. A short TTL can speed a change, but it does not stop a previously learned address from being used. Treat every origin address as potentially known and enforce access at the network boundary.

2. Allow only the intended ingress

At the origin firewall or security group, allow the documented address ranges of the edge, private gateway, health-check system, and tightly controlled administration path. Deny all other inbound traffic by default. Include IPv6 rules if the service has IPv6 enabled; an IPv4-only allowlist does not protect an open IPv6 interface.

Keep the allowlist in version control or another auditable system. Automate updates only when the source list is authenticated, reviewed, and tested. Remove temporary incident rules after their expiry. If the provider cannot offer stable source ranges, use another trust mechanism rather than opening the origin to the internet.

3. Authenticate the edge-to-origin connection

Use TLS from the edge to the origin, validate the certificate and hostname, and disable weak protocols and unneeded ports. For higher assurance, use mutual TLS or an origin authentication method that is bound to the trusted gateway. A shared secret in a header can be useful only when the origin validates that the request came through a trusted network path and the secret is rotated and protected; it is not a substitute for the firewall.

At the application boundary, reject unexpected hostnames and validate any gateway-added headers only when the gateway is the component that can set them. Never trust a client-supplied X-Forwarded-For, scheme, or identity header received directly from the public internet. Preserve the original client information for logging through a trusted, well-defined chain.

4. Separate administration

Do not expose SSH, control panels, databases, or orchestration interfaces through the public web origin. Use a private network, VPN, bastion, or identity-aware administrative gateway with MFA and least privilege. Restrict management access by role, source, device posture, and time where practical. Audit administrative sessions and test emergency access before an outage.

The origin's outbound policy matters too. A compromised application can be used to reach internal services or exfiltrate data. Limit egress to required dependencies, use metadata-service protections where relevant to your platform, and monitor unusual destinations. Origin protection should reduce blast radius, not only block inbound requests.

Add application and edge controls

Network restriction is the foundation, not the whole defense. Keep the WAF and API validation policy at the edge and in the application where appropriate. Apply rate limiting before expensive origin work. Use API protection for authentication, schema validation, quotas, and endpoint inventory.

Review caching carefully. Do not cache personalized responses or error pages that contain sensitive data. Ensure cache keys include every input that changes authorization or representation. Purge sensitive content when access rules change. A cache can reduce origin load, but it must not become a way to serve one user's response to another.

Test for bypasses safely

Test from an approved assessment source and coordinate with the operations team. Resolve every public hostname, check both address families, send requests to known historical addresses, and try an unexpected Host header. Confirm that direct requests are denied before application logic runs. Verify that the edge can still reach the origin, health checks work, uploads and long-lived connections behave correctly, and logs show the difference between an edge request and a rejected bypass.

Run the tests after DNS changes, provider migrations, certificate renewals, infrastructure rebuilds, and firewall automation changes. Include disaster recovery. A failover origin that is not protected is still an origin, and a recovery runbook that asks engineers to open the server broadly creates an incident during the incident.

Monitor the boundary

Alert on direct connection attempts, rejected source addresses, unexpected hostnames, origin TLS failures, changes to firewall rules, new DNS records, and sudden increases in origin cache misses or connection counts. Keep request IDs and trusted edge metadata so an investigation can trace a request without logging secrets. Compare origin traffic with edge traffic; a rise at the origin without a corresponding edge increase is a strong bypass signal.

Review the allowlist, DNS zone, certificate names, public cloud interfaces, and administrative paths on a schedule and after ownership changes. Delete obsolete environments rather than relying on an undocumented block rule.

Common mistakes

  • Assuming a proxied DNS record makes the origin unreachable.
  • Allowing 0.0.0.0/0 temporarily and never removing it.
  • Forgetting IPv6, alternate ports, staging hosts, or a second load balancer.
  • Trusting a secret header without restricting the source network.
  • Sharing an origin hostname in error pages, response headers, logs, or public code.
  • Making the origin unreachable to monitoring and then disabling protection to restore it.
  • Treating failover and disaster recovery origins as exempt from the same controls.

For a complete edge design, continue with API Protection at the Edge, Rate Limiting Explained, and Security Headers Checklist. If you need help reviewing a multi-provider path, contact Optimi.

Authoritative references

There are only two hard things in Computer Science: cache invalidation and naming things.

Close the direct path to your origin

Talk to our team about edge routing, origin access controls, and safe bypass testing.

Contact Optimi