██FR█████ █INTELL███████████

When the CDN Blinks: Endpoint Obfuscation, TTL Conflict, and Behavioral Web Architecture


This content originally appeared on DEV Community and was authored by Tyler Johnston-Kent

When the CDN Blinks: Endpoint Obfuscation, TTL Conflict, and Behavioral Web Architecture

By Tyler Johnston-Kent (Formant)

Computational Behavioral Analyst • Indie Systems Engineer • Firebase Web Architect

🧠 TL;DR

I built a modular, fast-loading, secure portfolio and CMS system entirely from scratch — no frameworks, no CMS, no dependencies. Along the way, I unintentionally triggered a CDN cache anomaly involving Firebase Hosting and Cloudflare, driven by endpoint obfuscation and honeypot logic.

This is a case study in how behaviorally-aware web design can expose CDN TTL mismatches, detect botnet patterns, and passively observe spoofed access without intrusive fingerprinting.

📐 System Overview

Core Stack:

  • Firebase Hosting (static deployment)
  • Firestore (dynamic content feed)
  • Cloudflare Proxy (security layer)
  • Custom JavaScript router + modular content injection
  • Admin-auth CMS powered by Firebase Auth

Behavioral Layer:

  • Honeypot script (superSecret.js) logging to botViews
  • Structural endpoint obfuscation for trap routing
  • CSP with inline script bans and strict source rules
  • Lazy-loading embeds for YouTube, Spotify, SoundCloud

🕳 Behavioral Traps and Endpoint Obfuscation

While my frontend appears minimal, certain paths and scripts serve no user-facing purpose — they exist solely to trap bots or trigger conditional responses:

  • Decoy script files and API endpoints
  • Anchor tags that only bots follow
  • Routes designed to mimic outdated structures
  • Conditional logic that behaves differently when accessed outside intended UX flow

These elements create a passive detection grid: if something touches them, I know it’s not a human.

🌐 The CDN TTL Conflict

After deploying pages with these honeypots in place:

  • WhatsMyDNS began returning mixed propagation across locations
  • Firebase CDN would purge cache cleanly, but some regions via Cloudflare retained outdated assets
  • Certain bots, especially ones hitting decoy paths, would be served ghost data that no longer existed in the live system

Conclusion: Bot traffic triggered stale Cloudflare edge caches while Firebase updated globally — revealing a TTL conflict and CDN divergence only visible through these obfuscation traps.

🔬 Theory: Behavioral Divergence through CDN Cache States

When bots hit obfuscated paths:

  • Cloudflare may cache stale versions based on non-standard TTL behavior
  • Firebase CDN refreshes cleanly, especially after a manual invalidation
  • Result: Different users receive different versions of the same page, depending on their access method and origin

This created a passive fingerprinting method:

  • Real users = fresh content
  • Bots/spoofers = ghost data, 404s, or mismatched layout rendering

🔐 Security-Through-Structure, Not Surveillance

This system doesn’t rely on:

  • Session fingerprinting
  • External analytics scripts
  • Third-party cookies

Instead, it tracks:

  • Access flow patterns
  • CDN behavior anomalies
  • Script call behavior and sequence mismatch

It’s security by architecture — not by tracking.

🔧 Coming Features

  • Full layout picker system for client sites (theme and module config)
  • Visual honeypot access map by region
  • Automated TTL invalidation logs with analytics overlay
  • Public CMS offering for other artists (via API key injection)

💬 Final Thoughts

People say my site “looks simple.” That’s the point.

The simplicity is an illusion — behind it is a fully modular, dynamically routed, security-aware system designed not just for speed and UX, but for observation. This isn’t about overengineering. It’s about understanding how modern traffic moves — and how to learn from it.

If I can detect bot behavior, CDN drift, and user intent without a single external framework, you probably can too. You just have to think differently.

Written by Tyler Johnston-Kent

Computational Behavioral Analyst & Creator of Formant.ca

🎮 Indie game developer | 🎵 Music producer | 🛠 Web systems engineer

“Note: I use the term ‘Computational Behavioral Analyst’ to describe my self-taught focus on bot traffic, access behavior, CDN anomalies, and real-time passive observation. It reflects what I do — not what I’m certified for.”

Articulated through signal — Powered by Formant.


This content originally appeared on DEV Community and was authored by Tyler Johnston-Kent