[Yandex Cloud documentation](../../../index.md) > [Yandex Cloud CDN](../../index.md) > [Step-by-step guides](../index.md) > Resources > Configuring a TLS profile

# Configuring a TLS profile for a CDN resource

Cloud CDN supports TLS 1.0 and higher for client connections.

For added CDN resource security, configure a dedicated profile to restrict the allowed TLS versions.

For more information, see [TLS profiles](../../concepts/clients-to-servers-tls.md#tls-profiles).

{% list tabs group=instructions %}

- REST API {#rest-api}

  To enable the option, add the `tls` section to the CDN resource specification in the request body when using the [create](../../api-ref/Resource/create.md) or [update](../../api-ref/Resource/update.md) method for a [Resource](../../api-ref/Resource/index.md):

  ```json
  "tls": {
    "profile": "<TLS_profile>"
  }
  ```

  Supported security profiles:
  * `PROFILE_STRICT`: Only TLS 1.3-compatible ciphers.
  
      {% note info %}
  
      All TLS 1.3 ciphers are considered secure.
  
      {% endnote %}
  
  * `PROFILE_SECURE`: Ciphers compatible with TLS 1.2+ that support PFS (Perfect Forward Secrecy) and AEAD (Authenticated Encryption with Asssociated Data).
  * `PROFILE_COMPATIBLE`: Ciphers compatible with TLS 1.2+ that have no known critical vulnerabilities.
  
      This profile is used by default.
  * `PROFILE_LEGACY`: Ciphers compatible with TLS 1.0+ that have no known critical vulnerabilities.

  Here is an example:

  ```bash
  export IAM_TOKEN=`yc iam create-token`
  curl \
    --request POST \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --header "Content-Type: application/json" \
    --url 'https://cdn.api.cloud.yandex.net/cdn/v1/resources' \
    --data '{
      "folderId": "b12m81qm6abc********",
      "cname": "cdn-portal.example.com",
      "origin": {
        "originSourceParams": {
          "source": "portal.example.com",
          "meta": {
            "common": { "name": "portal.example.com" }
          }
        }
      },
      "originProtocol": "HTTPS",
      "tls": {
        "profile": "PROFILE_SECURE"
      }
    }'
  ```

  Result:

  ```text
  {
    "done": true,
    "metadata": {
      "@type": "type.googleapis.com/yandex.cloud.cdn.v1.CreateResourceMetadata",
      "resourceId": "bc8rgivxwhcy********"
    },
    "response": {
      "@type": "type.googleapis.com/yandex.cloud.cdn.v1.Resource",
      "active": true,
      ...
      "tls": {
        "profile": "PROFILE_SECURE"
      },
      ...
    },
    "id": "bc8y2mnkri2d********",
    "description": "Create resource",
    "createdAt": "2026-02-05T18:02:30.735628Z",
    "createdBy": "aje9k8luj4qf********",
    "modifiedAt": "2026-02-05T18:02:30.735628Z"
  }
  ```

- gRPC API {#grpc-api}

  To enable the option, add the `tls` section to the CDN resource specification in the request body when calling [ResourceService/Create](../../api-ref/grpc/Resource/create.md) or [ResourceService/Update](../../api-ref/grpc/Resource/update.md):

  ```json
  "tls": {
    "profile": "<TLS_profile>"
  }
  ```

  Supported security profiles:
  * `PROFILE_STRICT`: Only TLS 1.3-compatible ciphers.
  
      {% note info %}
  
      All TLS 1.3 ciphers are considered secure.
  
      {% endnote %}
  
  * `PROFILE_SECURE`: Ciphers compatible with TLS 1.2+ that support PFS (Perfect Forward Secrecy) and AEAD (Authenticated Encryption with Asssociated Data).
  * `PROFILE_COMPATIBLE`: Ciphers compatible with TLS 1.2+ that have no known critical vulnerabilities.
  
      This profile is used by default.
  * `PROFILE_LEGACY`: Ciphers compatible with TLS 1.0+ that have no known critical vulnerabilities.

  Here is an example:

  ```bash
  export IAM_TOKEN=`yc iam create-token`
  grpcurl \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
          "folder_id": "b12m81qm6abc********",
          "cname": "cdn-portal.example.com",
          "origin": {
            "origin_source_params": {
              "source": "portal.example.com",
              "meta": {
                "common": { "name": "portal.example.com" }
              }
            }
          },
          "origin_protocol": "HTTPS",
          "tls": {
            "profile": "PROFILE_SECURE"
          }
        }' \
    cdn.api.cloud.yandex.net:443 \
    yandex.cloud.cdn.v1.ResourceService/Create
  ```

  Result:

  ```text
  {
    "id": "bc8h7teov4q7********",
    "description": "Create resource",
    "createdAt": "2026-02-05T18:19:01.262477Z",
    "createdBy": "aje9k8luj4qf********",
    "modifiedAt": "2026-02-05T18:19:01.262477Z",
    "done": true,
    "metadata": {"@type":"type.googleapis.com/yandex.cloud.cdn.v1.CreateResourceMetadata","resourceId":"bc8r4gogfqeb********"},
    "response": {..."tls":{"profile":"PROFILE_SECURE"},...}
  }
  ```

{% endlist %}

## Useful links {#see-also}

* [TLS profiles](../../concepts/clients-to-servers-tls.md#tls-profiles)
* [API authentication](../../api-ref/authentication.md)