Foundations

APIs are now central to most modern web applications. They power mobile apps, connect services, and expose business logic directly to the internet. This makes them an attractive target for attackers. A Web Application Firewall (WAF) can provide important protection, but only if it is configured with the unique challenges of APIs in mind. Why APIs need special protection Unlike traditional web pages, APIs often deal with structured data such as JSON or XML. Requests are machine-to-machine, which means there are fewer human cues to detect when something looks suspicious. APIs also expose functions directly — such as account management or payment processing — making them high-value targets. ...

Origins in the 1990s The first wave of web applications in the mid-1990s exposed new security risks. Traditional firewalls operated at the network and transport layers. They could block ports or IPs but had no understanding of HTTP requests or application logic. Attacks like SQL injection, cross-site scripting, and parameter tampering emerged in this gap. Early attempts at protection were often custom CGI filters or reverse proxies that inspected URLs and query strings. These were brittle and hard to maintain, but they marked the beginning of application-aware inspection. ...

A Web Application Firewall (WAF) is a security layer that protects web applications by filtering and monitoring HTTP traffic between the application and the internet. WAFs are often integrated into CDNs or multi-CDN deployments, inspecting traffic at the edge before it reaches the origin. This FAQ explores the ten questions that come up most often, with a focus on practical considerations for operators and developers. What is a WAF and how does it work? A WAF sits between users and the application, analyzing every HTTP or HTTPS request before it reaches the origin. It applies a set of rules designed to catch malicious patterns, such as SQL injection payloads or cross-site scripting attempts. Depending on configuration, the WAF may block, allow, or log requests. ...

What MultiCDN is MultiCDN uses more than one CDN provider at the same time. The goal is better reach, higher availability, and lower tail latency. A steering layer decides which provider should serve each request based on performance, health, geography, or cost. When to use it Pick MultiCDN when a single provider leaves gaps in coverage, when outages are costly, or when large events create sharp traffic spikes. It adds control and resilience, but also complexity. If one CDN already meets your SLOs, start there and add more only for clear benefits. ...

Intro This section explains content delivery networks in practical terms. Focus areas are delivery, performance, security, pricing, SEO, and integration. Material is organized as quick answers with links to deeper pages. Each answer uses concrete mechanisms and conservative guidance. Quick answers What is a CDN and how does it work? A content delivery network is an overlay of edge servers designed to bring content closer to clients. Each edge accepts connections, terminates TLS, enforces policy, and serves cached responses. The edge fetches from origin only when a response is missing or expired. The response is stored under a cache key for reuse. The cache key typically includes method and path, and a small set of safe vary dimensions such as Accept and Accept-Encoding. Cookies and volatile headers should not be part of the key unless required. ...

HTTP status codes are three-digit responses sent by servers to describe the outcome of a request. They’re grouped into five classes: Class Range Meaning 1xx 100–199 Informational — request received 2xx 200–299 Success — request handled 3xx 300–399 Redirection — further action needed 4xx 400–499 Client error — problem with request 5xx 500–599 Server error — problem on the server Quick Reference: Common Codes 2xx — Success 200 OK 201 Created 204 No Content 206 Partial Content 3xx — Redirection ...

Synopsis This chapter explains the principles and practice of operating more than one content delivery network at the same time. Multi-CDN is used to improve availability, performance, and resilience. It also increases complexity and cost. This document describes when multi-CDN is appropriate, how to design it, and how to operate it reliably. Fit analysis Multi-CDN is most useful when service level objectives require high availability across many regions, performance varies between providers in different areas, regulatory or commercial risk must be spread across vendors, or large traffic bursts cannot be absorbed by a single provider. It is less appropriate when traffic volume is low, the operational team is small, or application features depend on one vendor’s proprietary services. ...