Authentication overview

Statically operates as a Content Delivery Network (CDN) and image optimization service, primarily focused on delivering static assets efficiently. Unlike APIs that require authentication for programmatic access to user-specific data or transactional operations, Statically's core service model for asset delivery does not typically involve traditional API keys or tokens for each asset request. Instead, authentication principles are applied at the configuration level, ensuring that only authorized sources can leverage the CDN for their content.

For its free tier, Statically processes assets based on the source URL provided, applying optimizations and serving them globally via its CDN. The implicit authentication here is the public accessibility of the source asset. For Statically Pro plans, user authentication secures access to the administrative dashboard, custom settings, and advanced features, such as custom domains and analytics, allowing users to manage their CDN configurations and monitor usage. This account-level authentication ensures that only authorized users can modify their service settings or access sensitive account information.

The service emphasizes secure delivery through HTTPS for all assets, protecting data in transit from eavesdropping and tampering. This aligns with broader web security standards recommended by organizations such as the Internet Engineering Task Force (IETF) for secure communication protocols.

Supported authentication methods

Statically's approach to authentication is segmented between asset delivery and account management. Direct asset delivery generally does not require explicit authentication per request, while access to advanced features and account settings necessitates user authentication.

The following table outlines the primary authentication principles and methods relevant to Statically's services:

Method When to Use Security Level
URL-based Asset Retrieval For public static assets on the free tier or standard Pro usage. Statically fetches and caches based on the provided URL. Medium (relies on source server security and public accessibility)
DNS Configuration (Custom Domains) For mapping custom domains to Statically's CDN, requiring DNS record modification to prove domain ownership. High (cryptographic proof of domain control via CNAME/A records)
Account Login (Email/Password) To access the Statically Pro dashboard for managing subscriptions, custom domains, and monitoring usage. High (standard web application security, often with 2FA options)
Signed URLs (Future/Advanced) Potentially for restricted assets or time-limited access, though not a primary feature for general asset delivery. Very High (cryptographically signed, time-limited access)

For custom domain integration, Statically requires users to update their domain's DNS records, typically by adding a CNAME record pointing to a Statically-provided endpoint. This process, detailed in the Statically custom domain documentation, serves as a form of authentication, verifying that the user controls the domain they intend to use with the service. This method mirrors practices used by other CDNs and web services to ensure legitimate domain usage.

Getting your credentials

For Statically's core function of delivering static assets, explicit API keys or tokens are generally not required for each asset request. The primary "credential" for asset delivery is the properly formatted URL pointing to your original asset, which Statically then processes and serves.

However, for managing your Statically Pro account and its associated features, you will use a standard email and password combination:

  1. Sign Up for a Pro Account: Navigate to the Statically Pro page and choose a plan. You will be prompted to create an account by providing an email address and setting a password.
  2. Login to the Dashboard: Once your account is created and confirmed, you can log in to the Statically dashboard using your registered email and password. This dashboard is your central point for managing custom domains, viewing usage statistics, and adjusting settings.
  3. Custom Domain Setup: If you plan to use a custom domain, the credentials for this are managed through your domain registrar. Statically will provide specific CNAME or A record values that you must add to your domain's DNS settings. This is a crucial step for authenticating your domain's ownership and directing traffic through Statically's CDN. Refer to your domain registrar's documentation (e.g., Cloudflare's DNS management guide or similar) for instructions on how to modify DNS records.

There are no public API keys or client secrets issued by Statically for direct programmatic control over asset delivery or optimization settings in the same way that many REST APIs provide. Configuration and management are primarily handled through the web-based dashboard and DNS settings.

Authenticated request example

Since Statically's primary mode of operation for asset delivery does not involve traditional API keys in HTTP headers, an "authenticated request example" for asset retrieval focuses on the URL structure and the underlying security of HTTPS.

Example of a Statically asset request (implicitly "authenticated" by URL structure and HTTPS):

GET https://cdn.statically.io/img/yourdomain.com/wp-content/uploads/2026/05/your-image.jpg?w=800&q=75 HTTP/1.1
Host: cdn.statically.io
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Accept: image/webp,image/apng,image/*,*/*;q=0.8
Referer: https://yourwebsite.com/

In this example:

  • https://cdn.statically.io: This is the Statically CDN endpoint, ensuring all traffic is encrypted with HTTPS.
  • /img/yourdomain.com/wp-content/uploads/2026/05/your-image.jpg: This path indicates that Statically is fetching and optimizing an image from yourdomain.com. The "authentication" here is the public accessibility of the original image at yourdomain.com/wp-content/uploads/2026/05/your-image.jpg. Statically acts as a proxy, caching and serving the optimized version.
  • ?w=800&q=75: These are Statically's URL parameters for image optimization, requesting the image to be resized to a width of 800 pixels and a quality of 75.

For Statically Pro users with custom domains, the request would look similar, but the host would be your custom domain, which resolves to Statically's CDN infrastructure via DNS settings:

GET https://cdn.yourcustomdomain.com/wp-content/uploads/2026/05/your-image.jpg?w=800&q=75 HTTP/1.1
Host: cdn.yourcustomdomain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Accept: image/webp,image/apng,image/*,*/*;q=0.8
Referer: https://yourwebsite.com/

The DNS configuration for cdn.yourcustomdomain.com acts as the "authentication" that verifies your ownership and right to use Statically for that domain. This is a fundamental security mechanism for CDNs, ensuring that only domain owners can direct traffic through their services.

Security best practices

Although Statically's authentication model differs from traditional API-driven services, adherence to general security best practices is crucial for protecting your assets and account.

  • Always Use HTTPS: Ensure all your assets are served over HTTPS. Statically automatically serves assets via HTTPS, but confirm your origin server also uses HTTPS to prevent mixed content warnings and secure the initial fetch. HTTPS encrypts data in transit, protecting against man-in-the-middle attacks and ensuring data integrity. The W3C Content Security Policy (CSP) recommendations include ensuring all resources are loaded over secure protocols.
  • Secure Your Origin Server: Statically pulls assets from your origin server. Any vulnerabilities on your origin server (e.g., WordPress site) could expose your content or allow unauthorized modifications, which Statically would then cache and serve. Implement strong security measures on your origin, including regular updates, strong passwords, and firewalls.
  • Protect Your Statically Pro Account:
    • Strong, Unique Passwords: Use complex, unique passwords for your Statically Pro dashboard login.
    • Enable Two-Factor Authentication (2FA): If Statically offers 2FA for account logins, enable it immediately. This adds an extra layer of security, requiring a second verification step beyond just your password.
    • Regularly Monitor Usage: Periodically check your Statically Pro dashboard for unusual activity or excessive bandwidth consumption, which could indicate unauthorized use.
  • Verify DNS Settings: When setting up custom domains, double-check your DNS records. Incorrect configurations can expose your domain to hijacking or prevent Statically from serving your assets correctly. Ensure CNAME records point only to the specified Statically endpoint.
  • Content Security Policy (CSP): Implement a robust Content Security Policy on your website. This can help mitigate cross-site scripting (XSS) and other content injection attacks by specifying allowed sources for scripts, styles, and images. Include Statically's CDN domain (e.g., cdn.statically.io or your custom domain) in your image and script source directives.
  • Restrict Access to Origin Assets: If possible for certain assets, consider restricting direct access to your origin server's asset directories (e.g., via .htaccess rules or server configuration) while allowing Statically's IP ranges to access them. This can prevent direct hotlinking to your origin and force traffic through the CDN.
  • Understand Statically's Caching Behavior: Be aware of how Statically caches content. If you update an asset on your origin, you may need to clear the cache via the Statically dashboard (if available) or by modifying the asset's URL (e.g., adding a version query parameter) to ensure the CDN serves the latest version. This is important for security updates or removing sensitive content.