Safeguard
Tag

cdn-security

Safeguard articles tagged "cdn-security" — guides, analysis, and best practices for software supply chain and application security.

7 articles

Supply Chain Attacks

Anatomy of the polyfill.io CDN Compromise

In June 2024, a single acquired domain turned a free CDN trusted by over 100,000 sites into a live malware injection point — with no dependency update required.

Jul 8, 20266 min read
Application Security

Web cache poisoning: attack mechanics and prevention

A 2024 academic scan of the Tranco Top 1000 domains found roughly 17% vulnerable to web cache poisoning — here's how the attack works and how to stop it at the edge.

Jul 8, 20266 min read
Incident Analysis

Polyfill.io supply chain attack

How a domain sale turned a trusted CDN into a malware vector for 100,000+ sites — and what the polyfill.io incident teaches defenders about third-party script risk.

Nov 8, 20257 min read
Incident Analysis

jQuery CDN supply chain risk analysis

jQuery loads on ~75% of websites, often via CDNs with no SRI or version pinning. The cdnjs RCE and Polyfill.io hijack show why that trust model keeps failing.

Nov 6, 20258 min read
Supply Chain Security

Polyfill.io Supply Chain Attack: When a CDN Domain Changes Hands

A Chinese company acquired the polyfill.io domain and began injecting malicious code into websites that relied on the CDN, affecting over 100,000 sites. The attack exploited trust in third-party JavaScript.

Jun 25, 20246 min read
Web Security

Cache Poisoning Attacks: How They Work and How to Prevent Them

Cache poisoning attacks manipulate web caches to serve malicious content to other users. This guide covers web cache poisoning, DNS cache poisoning, and practical defenses for modern applications.

Sep 5, 20237 min read
Application Security

Subresource Integrity Failures: When CDN Trust Goes Wrong

SRI protects against CDN compromises and supply chain attacks on client-side scripts. Most web applications do not use it. Here is what they are missing.

May 12, 20235 min read
cdn-security — Safeguard Blog