Back to blog

Origin Verification vs CDN Lock-in

Why verifying crawler identity at your origin server matters, and how it prevents vendor lock-in while keeping you in control.

O
OpenBotAuth Team
architectureCDNorigin verificationinfrastructure

When publishers think about bot management, they often default to CDN-level solutions. Cloudflare, Akamai, and Fastly all offer bot detection features. But there's a hidden cost: lock-in.

The CDN bot management trap

CDN-based bot management works by analyzing traffic at the edge, before requests reach your server. The CDN identifies bots using:

  • IP reputation databases
  • Behavioral analysis
  • JavaScript challenges
  • Machine learning models

This sounds great until you realize:

  1. Your policies live in their systems. Switch CDNs? Start over.
  2. Your data lives in their systems. Want to analyze bot traffic yourself? Pay for their analytics.
  3. Your business logic depends on their features. Need something custom? File a feature request.

Origin verification: a different approach

OpenBotAuth takes a fundamentally different approach. Instead of detecting bots at the CDN, we verify them at your origin.

Here's how it works:

  1. Crawlers sign their requests using HTTP Message Signatures
  2. Your server (or a sidecar) validates the signature
  3. The signature links to a registered identity in the OpenBotAuth registry
  4. Your code decides what to do based on the verified identity

The CDN never needs to know. It just passes requests through.

Why this matters

You own your policies

Access rules live in your codebase or configuration. Version controlled. Auditable. Portable.

You own your data

Every verification happens at your infrastructure. Log it however you want. Analyze it with your own tools.

You own your infrastructure decisions

Switch CDNs tomorrow. Add a second CDN. Remove your CDN entirely. Your bot verification keeps working.

The standard HTTP advantage

OpenBotAuth uses HTTP Message Signatures (RFC 9421), a standard for signing HTTP requests. This means:

  • Any HTTP client can implement signing
  • Any HTTP server can implement verification
  • No proprietary protocols or SDKs required

The signatures travel in standard HTTP headers. CDNs, proxies, and load balancers pass them through unchanged.

When CDN integration makes sense

We're not anti-CDN. CDNs are great for:

  • Caching static content
  • DDoS protection
  • Geographic distribution

Use your CDN for what it's good at. Use OpenBotAuth for identity verification.

The bottom line

Bot management at the CDN layer trades control for convenience. Origin verification keeps you in control while maintaining compatibility with any infrastructure setup.

Your origin, your rules.

Ready to try origin verification? See our integration guides or request access to get started.