How is Zero Trust used in practice?

See real-world examples and code snippets on the Zero Trust glossary page at CDN Certified.

What concepts are related to Zero Trust?

Related terms include: mTLS, Rate Limiting, SNI (Server Name Indication), TLS (Transport Layer Security), WAF.

Zero Trust

Security

A security model where no request is trusted by default, regardless of network location. Every request must be authenticated and authorized. CDNs implement this at the edge with mTLS, JWT validation, and identity-aware proxying.

Updated Mar 9, 2026

Full Explanation

Traditional security assumes everything inside the network perimeter is safe. Zero trust assumes nothing is safe. Every request, whether from the office, a VPN, or the public internet, must prove its identity before getting access.

CDNs are a natural enforcement point for zero trust. They sit at the edge, seeing every request before it reaches your infrastructure. A CDN can validate JWT tokens, enforce mTLS client certificates, check IP reputation, and apply per-user access policies, all without the request ever touching your origin.

For CDN-to-origin communication, zero trust means using mTLS (the CDN authenticates itself to your origin with a client certificate) and restricting origin access to only accept connections from the CDN's IP ranges. No direct-to-origin access, ever.

Examples

# Origin: only accept CDN connections (iptables)
iptables -A INPUT -p tcp --dport 443 -s 103.21.244.0/22 -j ACCEPT  # CF IPs
iptables -A INPUT -p tcp --dport 443 -j DROP  # Block everything else

# mTLS: CDN authenticates to origin
server {
    listen 443 ssl;
    ssl_client_certificate /etc/ssl/cdn-ca.pem;
    ssl_verify_client on;
    if ($ssl_client_verify != SUCCESS) { return 403; }
}

# Cloudflare Access: identity-aware proxy
# 1. Create Access app for internal.example.com
# 2. Policy: require SSO + device posture
# 3. CDN validates before proxying to origin

Video Explanation

Frequently Asked Questions

# Origin: only accept CDN connections (iptables)
iptables -A INPUT -p tcp --dport 443 -s 103.21.244.0/22 -j ACCEPT  # CF IPs
iptables -A INPUT -p tcp --dport 443 -j DROP  # Block everything else

# mTLS: CDN authenticates to origin
server {
    listen 443 ssl;
    ssl_client_certificate /etc/ssl/cdn-ca.pem;
    ssl_verify_client on;
    if ($ssl_client_verify != SUCCESS) { return 403; }
}

# Cloudflare Access: identity-aware proxy
# 1. Create Access app for internal.example.com
# 2. Policy: require SSO + device posture
# 3. CDN validates before proxying to origin

Related CDN concepts include:

mTLS (mTLS) — Mutual TLS. Both client and server present X.509 certificates during the TLS handshake, authenticating each …
Rate Limiting — Restricting the number of requests a client can make within a time window. Protects origins …
SNI (Server Name Indication) (SNI) — A TLS extension that lets the client specify which hostname it's connecting to during the …
TLS (Transport Layer Security) (TLS) — The encryption protocol that secures HTTPS connections. TLS encrypts data in transit between client and …
WAF (WAF) — Web Application Firewall. Inspects HTTP requests at the CDN edge and blocks malicious traffic: SQL …

Previous Term X-Forwarded-For (XFF)

Next Term Zone Apex

Back to Glossary