Security overview
Qwilt offers flexible security features that enable a uniform security configuration across all CDN services, including the following:
- HTTP request method control
- Web Application Firewall (WAF) protection
- Force HTTPS
- Access Control Lists (ACLs)
- HTTP version
- Bring Your Own Certificate
- TLS configuration
- Cipher Management
- Origin authentication
- Routing methods
These services are discussed in more detail below.
HTTP Request Method Control
Web Application Firewall (WAF) Protection
Qwilt’s WAF service provides advanced protection for your applications, with a single, unified solution.
Qwilt’s WAF service offers versatile deployment options, ensuring the protection of applications no matter where they reside—whether in containers, on-premises, in the cloud, or on the edge. This flexibility is achieved through a unified solution, simplifying the security process for diverse environments.
We handle the agent hosting for you, eliminating the need for software installation. You can update your DNS record to direct traffic to our hosted agent, where inspection and decision-making take place. Legitimate traffic is allowed to seamlessly pass through to the application or API origin.
Force HTTPS
This feature forces the CDN to redirect HTTP requests to HTTPS, effectively blocking the site from being accessed over HTTP.
Access Control Lists (ACLs)
Access Control Lists (ACLs) are used to limit access to sites based on a client's location (IP address, geographic location, ASN, or use of an anonymizer).
ACLs can be defined at both the host and path levels. Host ACL settings are inherited by paths, unless a path has its own ACL settings. In this case, path ACL settings override host ACL settings.
For additional information, see Add an ACL.
HTTP Version
Bring Your Own Certificate
TLS Configuration
Cipher Management
Qwilt uses open SSL to manage Cipher availability. There are many configuration options for ciphers using Open SSL. To keep the interface simple, we allow Content Providers who want to configure ciphers to submit a string based on the Cipher List Format defined by OpenSSL: https://www.openssl.org/docs/man3.0/man1/openssl-ciphers.html
Example:
| Name | Example | Required | |
|---|---|---|---|
| Cipher List | High | Mandatory | Array of strings |
String Validation
The Content Provider-submitted string should be validated against the OpenSSL library.
Origin Authentication
The origin is where the content resides. Each delivery service (host) has to define an origin. The origin configuration can include a single origin host or multiple origin hosts with duplicated content.
When configuring a host or path origin in Qwilt, you can also select an origin authentication method, and then enter the relevant details.
Routing Methods
Qwilt supports multiple routing techniques, including DNS, HTTP, manifest rewrite, and a routing API for content providers to optimize edge node selection.
Qwilt provides sophisticated routing manipulations for media delivery, and a unique set of capabilities to support accurate routing. For example, Qwilt maintains intimate knowledge of the ISP network through BGP integration or other APIs, enabling the communication of specific subnets with respect to specific pops of our deployment.
Qwilt continuously measures latency between clients and its deployed pops, and creates a performance map that informs routing decisions. Qwilt also measures latency to DNS Resolvers, which improves DNS routing as well.
This is critical for site delivery routing decisions.
Additionally, Qwilt integrates server health and load and can cross-reference Qwilt mapping with geolocation data from a third party database to enhance routing decisions. This enables Qwilt to optimize cache hit probability by sending a client to the cache that is most likely to have the content.