cdnzero
Get started free →
Security

Security Overview

How CDNZero protects your data, assets, and infrastructure.

SOC 2 Type II

Annual third-party audit of security controls, availability, and confidentiality

GDPR

EU-compliant data handling, right-to-erasure support, data residency options

TLS 1.3

All data in transit encrypted end-to-end

AES-256

All stored files encrypted at rest

DDoS protection

Every CDNZero edge location is protected by 10+ Tbps of DDoS mitigation. Traffic scrubbing happens at the network layer before requests reach your assets or API. Volumetric, application-layer, and amplification attacks are all handled automatically — no configuration required.

Authentication & tokens

  • Short-lived JWT access tokens — 15-minute expiry with automatic refresh via the SDK. Concurrent 401s trigger a single refresh, not a stampede (async-mutex pattern).
  • Google OAuth via Firebase — CDNZero never stores Google credentials; authentication is fully delegated
  • Invite-only team access — new members can only join your org via explicit invitation

API key security

  • Access Keys are hashed on storage — CDNZero staff cannot retrieve a key's value after creation
  • Keys are scoped per organisation — a compromised key cannot touch any other org's data
  • Revocation is instant — all active requests using a revoked key fail immediately
  • The Access page shows Last Used timestamps so you can audit and retire stale keys

File access control

VisibilityWho can accessBest for
PublicAnyone with the CDN URL — no authMarketing images, public assets, open downloads
PrivateOnly via a signed URL (time-limited, server-generated)User uploads, invoices, gated content

Signed URL security

Signed URLs are cryptographically signed using your Secret Key. The signature covers the file ID, expiry timestamp, and access scope. Tampered or expired URLs are rejected at the edge — they never reach your origin.

💡 Best practice

Always generate signed URLs server-side on demand with a short TTL (5–15 minutes for sensitive content). Never expose your Access Key or Secret Key in frontend code.

Responsible disclosure

Found a security vulnerability? Email security@cdnzero.com. We follow a 90-day coordinated disclosure timeline and credit researchers in our changelog.