With leaching as an annoying threat for your bandwidth and, with a need to provide more secure and bottlenecked access to your CDN resources, we give a way out by applying secure token on each of your CDN links in order to take it off after a certain amount of time. You can do this by responding with 410 Gone status code.

Sounds pretty straightforward with a custom app or CMS but, what happens in the case your main platform is WP – and, for this example, CDN Linker as a plugin you’ve used to add CDN support to your website? I’ve dedicated some slight time to find a bypass so, let’s crank it!

  1. Enable token and define your secret in provided field under zone Security settings:

  2. Linker has two files where in one is main options set designed (ossdl-cdn-off-linker/wp-cdn-linker.php) and the other one that has main rewriting logic (ossdl-cdn-off-linker/cdn-linker-base.php) and we need both in this process. To start with, well add text box where token will be placed in and register this option properly:

    1. Open ossdl-cdn-off-linker/wp-cdn-linker.php and add HTML tags that will display label and text field with a notification text:

      <label for="ossdl_off_cdn_url">SECURE TOKEN</label> <input type="text" name="ossdl_off_token" size="64" value="<?php echo(get_option('ossdl_off_token')); ?>" /> <span>USE THIS OPTION ONLY IF YOU HAVE SECURE TOKEN ENABLED</span>
    2. This piece of code will show something like this in CDN Linker configuration page: 

  3. Register option – set activate action

    function ossdl_off_activate() {add_option('ossdl_off_cdn_url', get_option('siteurl')); add_option('ossdl_off_include_dirs', 'wp-content,wp-includes'); add_option('ossdl_off_exclude', '.php'); add_option('ossdl_off_rootrelative', ''); add_option('ossdl_off_www_is_optional', ''); add_option('ossdl_off_disable_cdnuris_if_https', '1'); add_option('ossdl_off_token', ''); }
  4. Set Deactivate action

    function ossdl_off_deactivate() {delete_option('ossdl_off_cdn_url'); delete_option('ossdl_off_include_dirs'); delete_option('ossdl_off_exclude'); delete_option('ossdl_off_rootrelative'); delete_option('ossdl_off_www_is_optional'); delete_option('ossdl_off_disable_cdnuris_if_https'); delete_option('ossdl_off_token'); }
  5. Set Update action

    function ossdl_off_options() {if (!empty($_POST) && check_admin_referer('save-options', 'ossdl-nonce')) {update_option('ossdl_off_cdn_url', $_POST['ossdl_off_cdn_url']); update_option('ossdl_off_token', $_POST['ossdl_off_token']); … }
    1. Open ossdl-cdn-off-linker/cdn-linker-base.php and create function called, for example, “sec”:
      function sec($rel){$secret = get_option('ossdl_off_token'); //Get token value from text field in settings section $path = $rel; $expire = time() + 3600; //One day validity $md5 = base64_encode(md5($secret . $path . $expire, true)); $md5 = strtr($md5, '+/', '-_'); $md5 = str_replace('=', '', $md5); $url = "{$path}?st={$md5}&e={$expire}"; }
    2. under function “rewrite_single” find:
      return str_replace($blog_url, $this->cdn_url->get_for($match[0]), $match[0]);
    3. and replace with:
                     if(get_option('ossdl_off_token') != ""){$relative1 = str_replace($this->cdn_url->get_for($match[0]), '', $match[0]); $relative2 = sec($relative1); $abs = str_replace($blog_url, '', $match[0]); $abs = sec($abs); return $this->cdn_url->get_for($match[0]) . $abs; } else{return str_replace($blog_url, $this->cdn_url->get_for($match[0]), $match[0]); }
  6. Explanation:
    if ossdl_off_token option is not set (text field contains token value), call “sec” function and pass uri to it for secure string composition.
    if ossdl_off_token is empty (token not set), simply rewrite url by predefined cdn url.
  7. Resulting source code portion:

    <link rel='stylesheet' id='dashicons-css'  href='http://foo.bar.netdna-cdn.com/wp-includes/css/dashicons.min.css?st=RiIb3samLXPHiuMd30U_Dw&e=1398811628' type='text/css' media='all' /> <link rel='stylesheet' id='admin-bar-css'  href='http://foo.bar.netdna-cdn.com/wp-includes/css/admin-bar.min.css?st=RoOgowtm2Fjyxa8yhfzfsQ&e=1398811628' type='text/css' media='all' /> <link rel='stylesheet' id='genericons-css'  href='http://foo.bar.netdna-cdn.com/wp-content/themes/twentyfourteen/genericons/genericons.css?st=IJBVawC0fuzC9cSov2FMjA&e=1398811628' type='text/css' media='all' /> <link rel='stylesheet' id='twentyfourteen-style-css'  href='http://foo.bar.netdna-cdn.com/wp-content/themes/twentyfourteen/style.css?st=9P2LcL8cBUz7JbZiBiwslg&e=1398811628' type='text/css' media='all' />

    Let see how does the response look like in both cases – with and without
    secure token (whether leaching is a possibility):

    1. With regular token query string
      curl -I "http://foo.bar.netdna-cdn.com/wp-content/themes/twentyfourteen/genericons/genericons.css?st=IJBVawC0fuzC9cSov2FMjA&e=1398811628"HTTP/1.1 200 OK Date: Tue, 29 Apr 2014 21:51:29 GMT Content-Type: text/css Content-Length: 22680 Connection: keep-alive Last-Modified: Tue, 12 Nov 2013 18:38:10 GMT Pragma: public Cache-Control: public, must-revalidate, proxy-revalidate Cache-Control: public, max-age=604800 Expires: Tue, 06 May 2014 21:51:26 GMT Server: NetDNA-cache/2.2 X-Cache: HIT Accept-Ranges: bytes
    2. Without token
      curl -I http://foo.bar.netdna-cdn.com/wp-content/themes/twentyfourteen/genericons/genericons.css HTTP/1.1 403 Forbidden Date: Tue, 29 Apr 2014 21:53:49 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive Server: NetDNA-cache/2.2


To ensure you implemented MaxCDN correctly, you can view the source code of any page to confirm that the CDN domain is being used for static assets instead of your origin domain. You can also use tools like pingdom, gtmetrix, webpagetest that can give you more detailed reports on your CDN implementation status.