Integrate your CDN with DataDome

Protect your CDN traffic from bots.

DataDome can be used with any major CDN. By using the X-Forwarded-for field and a trusted chain check, the DataDome module is able to identify the real client IP that is actually requesting the page.

Akamai

DataDome considers all IP ranges used by Akamai Edges as "Trusted Proxy". Since Akamai doesn't provide an accurate list of its Edges' IPs, we had to develop a complex analysis of the incoming traffic to be able to detect new Akamai Edges that are released frequently.

The default Akamai configuration works properly with the DataDome Module. Akamai currently forwards all required information to the Origin.

CloudFlare

DataDome considers all IP ranges used by CloudFlare as "Trusted Proxy" .

The default CloudFlare configuration works properly with the DataDome Module. CloudFlare currently forwards all required information to the Origin.

Verizon (Edgecast)

DataDome considers all IP ranges used by Verizon Edges as "Trusted Proxy". Since Verizon doesn't provide an accurate list of its Edges' IPs, we had to develop a complex analysis of the incoming traffic to be able to detect new Verizon Edges that are released frequently.

The default Verizon configuration works properly with the DataDome Module. Verizon currently forwards all required information to the Origin.

Azure CDN

Azure proposes two CDN providers, Akamai and Verizon.
Both solutions works properly with the DataDome Module as we have added all Edge Ranges' IPs in the trusted proxy. These providers currently forward all required information in the default configuration.

Level 3

DataDome considers all IP ranges used by Level 3 Edges as "Trusted Proxy". Since Level 3 doesn't provide an accurate list of its Edges' IPs, we had to develop a complex analysis of the incoming traffic to be able to detect new Level 3 Edges that are released frequently.

The default Level 3 configuration works properly with the DataDome Module. Level 3 currently forwards all required information to the Origin.

OVH

DataDome considers all IP ranges used by OVH Edges as "Trusted Proxy". Since OVH doesn't provide an accurate list of its Edges' IPs, we had to develop a complex analysis of the incoming traffic to be able to detect new OVH Edges that are released frequently.

The default OVH configuration works properly with the DataDome Module. OVH currently forwards all required information to the Origin.

Cache Management

DataDome will protect all hits that reach the Origin.

Statistically, bots tend to crawl far more cold content than real users, which allows us to block most of their hits. We generally notice a block ratio around 80%. Of course, this number may vary depending on your cache policy.

If you need to protect all your content, we recommend using the header max-age to force the CDN to reach the Origin for each hit.

This header will not disable the cache, but will force the CDN to check cache validity for each hit.
As the packet is very light (no content), the resulting overhead will be very limited. The hit can be handled at web server level so that it doesn't reach the application level.

The Origin can answer with 3 different cases:

  • 200: the Origin generates a new page because the cache is missing or stale. The CDN will add this content to its cache.
  • 304: the CDN will deliver the page from its cache.
  • 403: the DataDome module is preventing the CDN from delivering the page. In this case, no change will be applied to the current CDN cache.

The Last-Modified header should be added to your content at the Origin to allow the CDN to handle the 304 response code.

Edge-control: cache-maxage=0s
Cache-Control: max-age=0
Cache-Control: max-age=0
Cache-Control: max-age=0
Cache-Control: max-age=0