Putting a new web application straight on the public internet, without a protection layer such as Akamai CDN or Cloudflare DDoS mitigation, used to be fairly common. Today it is a strategic cyber security risk. Attackers automate reconnaissance, insurers raise expectations, and user experience is shaped by global performance standards. Relying solely on an origin server leaves too many gaps.

The Immediate Risks

Most organisations focus on DDoS attacks, and with good reason. Even a modest volumetric flood can overwhelm cloud instances or on-premise infrastructure. In recent years, several UK public sector bodies have experienced outages after straightforward attacks targeted unprotected services.

Without a global edge security platform absorbing traffic before it reaches your network, resilience depends entirely on the size of your hosting footprint. That exposes any public-facing site to high levels of operational and reputational risk.

Beyond DDoS, exposing an origin directly invites continuous probing. Attackers routinely sweep the internet for known frameworks, vulnerable libraries, and misconfigured services. Real-world incidents such as Log4Shell and the MOVEit breach showed how quickly automated scanners find and exploit weaknesses.

When your application sits behind Akamai or Cloudflare, malicious requests are filtered, challenged, or blocked at the edge. Without that protection layer, your origin must process every request, legitimate or not, increasing the chance of compromise.

A further concern is the lack of a mature Web Application Firewall (WAF). While some development teams add basic rules to the application itself, this rarely matches the coverage and speed of updates from specialist vendors. Credential-stuffing attacks, injection attempts, and zero-day exploits evolve daily. A WAF at the edge delivers enterprise-grade protection that is difficult to replicate internally.

Impact on Performance and Cost

Performance is now a security and user-experience consideration. Modern users expect fast responses, and global audiences amplify latency. Content Delivery Networks (CDNs) cache static content in regional points of presence, reducing load on the origin and improving performance.

Without this, your application must serve every asset directly. That drives up hosting costs and reduces headroom during traffic spikes, whether legitimate marketing activity or malicious scans.

Bot traffic is another growing burden. Inventory scraping bots, brute-force login attempts, and fake registrations consume resources and distort analytics. Bot management solutions at the edge identify and challenge these patterns before they reach your environment.

Without them, developers often end up creating ad-hoc defences that rarely keep pace.

Governance, Insurance, and Accountability

Cyber insurance providers and regulators increasingly expect a baseline of technical controls for secure web hosting. In some sectors, a WAF and DDoS mitigation are considered standard hygiene. Deploying without them can complicate claims and weaken your organisation’s cyber security narrative when speaking to the board. Senior leaders need confidence that the fundamentals of web application risk management are in place.

Are there Exceptions?

There are. Internal-only applications, temporary prototypes, and closed development environments may not need a full edge platform. But these should be the exception. Any public-facing application handling customer data or supporting business operations is better protected behind a global security and performance layer.

Final Thoughts

Deploying a web application without Akamai or Cloudflare is no longer just a technical choice; it shapes resilience, cost, user experience, and organisational risk. In a landscape where attacks are automated and expectations are high, the edge is not an add-on, it is the first line of defence.

Ready to review your edge, CDN or security stack? Contact us today:

📞 0113 341 0123

📧 hello@itogether.com