Configuring a TLS profile for a CDN resource
Cloud CDN supports TLS 1.0 and higher for client connections.
For added CDN resource security, configure a dedicated profile to restrict the allowed TLS versions.
For more information, see TLS profiles.
To enable the option, add the tls section to the CDN resource specification in the request body when using the create or update method for a Resource:
"tls": {
"profile": "<TLS_security_profile>"
}
Supported security profiles:
-
PROFILE_STRICT: Only TLS 1.3-compatible ciphers.Note
All TLS 1.3 ciphers are considered secure.
-
PROFILE_SECURE: Ciphers compatible with TLS 1.2+ that support PFS (Perfect Forward Secrecy) and AEAD (Authenticated Encryption with Asssociated Data). -
PROFILE_COMPATIBLE: Ciphers compatible with TLS 1.2+ that have no known critical vulnerabilities.This profile is used by default.
-
PROFILE_LEGACY: Ciphers compatible with TLS 1.0+ that have no known critical vulnerabilities.
Here is an example:
export IAM_TOKEN=`yc iam create-token`
curl \
--request POST \
--header "Authorization: Bearer $IAM_TOKEN" \
--header "Content-Type: application/json" \
--url 'https://cdn.api.cloud.yandex.net/cdn/v1/resources' \
--data '{
"folderId": "b12m81qm6abc********",
"cname": "cdn-portal.example.com",
"origin": {
"originSourceParams": {
"source": "portal.example.com",
"meta": {
"common": { "name": "portal.example.com" }
}
}
},
"originProtocol": "HTTPS",
"options": {
"tls": {
"profile": "PROFILE_SECURE"
}
}
}'
Result:
{
"done": true,
"metadata": {
"@type": "type.googleapis.com/yandex.cloud.cdn.v1.CreateResourceMetadata",
"resourceId": "bc8rgivxwhcy********"
},
"response": {
"@type": "type.googleapis.com/yandex.cloud.cdn.v1.Resource",
"active": true,
"options": {
...
"tls": {
"profile": "PROFILE_SECURE"
}
},
...
},
"id": "bc8y2mnkri2d********",
"description": "Create resource",
"createdAt": "2026-02-05T18:02:30.735628Z",
"createdBy": "aje9k8luj4qf********",
"modifiedAt": "2026-02-05T18:02:30.735628Z"
}
To enable the option, add the tls section to the CDN resource specification in the request body when calling ResourceService/Create or ResourceService/Update:
"tls": {
"profile": "<TLS_security_profile>"
}
Supported security profiles:
-
PROFILE_STRICT: Only TLS 1.3-compatible ciphers.Note
All TLS 1.3 ciphers are considered secure.
-
PROFILE_SECURE: Ciphers compatible with TLS 1.2+ that support PFS (Perfect Forward Secrecy) and AEAD (Authenticated Encryption with Asssociated Data). -
PROFILE_COMPATIBLE: Ciphers compatible with TLS 1.2+ that have no known critical vulnerabilities.This profile is used by default.
-
PROFILE_LEGACY: Ciphers compatible with TLS 1.0+ that have no known critical vulnerabilities.
Here is an example:
export IAM_TOKEN=`yc iam create-token`
grpcurl \
-rpc-header "Authorization: Bearer $IAM_TOKEN" \
-d '{
"folder_id": "b12m81qm6abc********",
"cname": "cdn-portal.example.com",
"origin": {
"origin_source_params": {
"source": "portal.example.com",
"meta": {
"common": { "name": "portal.example.com" }
}
}
},
"origin_protocol": "HTTPS",
"options": {
"tls": {
"profile": "PROFILE_SECURE"
}
}
}' \
cdn.api.cloud.yandex.net:443 \
yandex.cloud.cdn.v1.ResourceService/Create
Result:
{
"id": "bc8h7teov4q7********",
"description": "Create resource",
"createdAt": "2026-02-05T18:19:01.262477Z",
"createdBy": "aje9k8luj4qf********",
"modifiedAt": "2026-02-05T18:19:01.262477Z",
"done": true,
"metadata": {"@type":"type.googleapis.com/yandex.cloud.cdn.v1.CreateResourceMetadata","resourceId":"bc8r4gogfqeb********"},
"response": {..."options":{..."tls":{"profile":"PROFILE_SECURE"}},...}
}