Securing Azure CDN assets with token authentication
Overview
Token authentication is a mechanism that allows you to prevent the Azure Content Delivery Network (CDN) from serving assets to unauthorized clients. Token authentication is typically done to prevent hotlinking of content, in which a different website, such as a message board, uses your assets without permission. Hotlinking can have an impact on your content delivery costs. By enabling token authentication on CDN, requests are authenticated by CDN edge server before the CDN delivers the content.
How it works
Token authentication verifies that requests are generated by a trusted site by requiring requests to contain a token value that holds encoded information about the requester. Content is served to a requester only if the encoded information meets the requirements; otherwise, requests are denied. You can set up the requirements by using one or more of the following parameters:
- Country/Region: Allow or deny requests that originate from the countries/regions specified by their country/region code.
- URL: Allow only requests that match the specified asset or path.
- Host: Allow or deny requests that use the specified hosts in the request header.
- Referrer: Allow or deny request from the specified referrer.
- IP address: Allow only requests that originated from specific IP address or IP subnet.
- Protocol: Allow or deny requests based on the protocol used to request the content.
- Expiration time: Assign a date and time period to ensure that a link remains valid only for a limited time period.
For more information, see the detailed configuration examples for each parameter in Setting up token authentication.
Important
If token authorization is enabled for any path on this account, standard-cache mode is the only mode that can be used for query string caching. For more information, see Control Azure CDN caching behavior with query strings.
Reference architecture
The following workflow diagram describes how the CDN uses token authentication to work with your web app.
Token validation logic on CDN endpoint
The following flowchart describes how Azure CDN validates a client request when token authentication is configured on CDN endpoint.
