doc: update CDN to restrict Fastly Purge API

By default, Fastly exposes the Varnish Purge protocol publicly, allowing anyone to make HTTP PURGE requests to any URL, e.g.: ``` curl -X PURGE https://releases.jquery.com/robots.txt ``` This can be disabled by setting an internal header in the Fastly configuration, explained in the docs[1], which I've now done for "releases", "code", and "code2". [1] https://docs.fastly.com/en/guides/authenticating-api-purge-requests
timmywil · Aug 18, 2024 · ad87bbe · ad87bbe
1 parent 96af93f
commit ad87bbe
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/doc/cdn.md b/doc/cdn.md
@@ -32,6 +32,7 @@ The following are examples of mitigations and optimizations:
 * CDN: Gzip compression, 1-year unconditional browser caching, 7-day stale-while-revalidate.
 * CDN: Pull from origin using an encrypted connection (including for plain HTTP requests).
 * CDN: Enable strict SNI verification on the HTTPS/TLS connection to the origin.
+* CDN: Restrict Fastly Purge API to [require authentication](https://docs.fastly.com/en/guides/authenticating-api-purge-requests).
 * Origin: Debian Linux LTS with debian-security, unattended-upgrades, and basic firewalls.
 * Origin: Nginx, Certbox, and Node installed from upstream Debian (no custom apt repo, PPA, or unpackaged software).
 * Origin: Require webhook payloads from GitHub to carry an HMAC-verified signature, based on a secret token.