Akamai on Eknix — Web security & performance for the enterprise

API Security in Ecommerce: What CTOs Get Wrong

Tue, 26 May 2026 00:00:00 +0000

Most ecommerce CTOs we talk to have a reasonable handle on their frontend security posture. WAF in place, DDoS protection sorted, bot management on the roadmap. The conversation gets uncomfortable when it turns to APIs.

It’s not that they’re unaware. They know APIs need securing. The attack surface is just bigger than it looks, the tooling caught up later than it did on the web application side, and most API programmes have gaps nobody’s had time to close. Then on top of that, AI shopping agents have started hitting ecommerce APIs in volume over the last year, and that has changed what “normal” traffic even means.

How Page Latency Kills Ecommerce Revenue in 2026 (And How to Fix It)

Fri, 22 May 2026 00:00:00 +0000

Speed is not a feature. It is revenue.

That framing still surprises some CTOs when we use it in a first meeting. Performance has traditionally lived in the engineering team, treated as a quality metric or a technical concern, something you optimise when you have spare sprint capacity. Finance does not talk about it. The board does not ask about it. It does not appear on the P&L.

Except it does. It appears indirectly, in conversion rates, in average order value, in cart abandonment, in paid acquisition efficiency. And the relationship between milliseconds and money is well-documented enough at this point that treating performance as a secondary concern is, plainly, a commercial mistake.

How Bot Attacks Drain Fintech Revenue — And How to Stop Them

Tue, 19 May 2026 00:00:00 +0000

Bots now account for nearly half of all internet traffic. But not all bots are created equal — and the ones targeting your fintech platform aren’t browsing. They’re working.

They’re testing stolen card numbers against your payment API. They’re taking over customer accounts. They’re scraping your pricing data. They’re stuffing credentials until one works. And while they do it, they’re quietly draining your revenue, degrading your infrastructure performance, and eroding the trust your customers place in you.

Bot management isn't a checkbox — it's a tuning practice

Wed, 18 Mar 2026 00:00:00 +0000

Bot management is one of those product categories where the marketing makes it sound like a turnkey product. Buy the platform, flip it on, the bots disappear. In reality, every bot management deployment we’ve inherited from a “turn it on and forget it” approach has been measurably underperforming — sometimes spectacularly.

Why generic defaults fail

The vendors aren’t lying when they say their products work out of the box. They do — for a generic web application. The problem is that no real application is generic.

How CDN node mapping actually works

Mon, 10 Nov 2025 00:00:00 +0000

There’s an interview question that used to be a rite of passage in backend engineering: “Walk me through everything that happens when a user types a URL and hits enter.” Most answers got stuck on DNS and TLS. The part most people glossed over — how the request actually lands on the right CDN node out of thousands distributed globally — is where the interesting engineering lives.

Get the mapping wrong and your users in Singapore are hitting a PoP in Frankfurt. The latency shows up in your P75 TTFB, in your bounce rate, and eventually in your revenue numbers.

Why CDN Vendors Hide Their Prices (And What to Do About It)

Wed, 10 Sep 2025 00:00:00 +0000

You’ve spent hours comparing solutions. One site finally looks right. You want to know what it costs. And instead of a number, you get a button: “Contact Sales.”

If that’s felt like a wall, you’re not alone. But having been on both sides of that conversation — as a buyer evaluating CDN options and as a practitioner who’s helped clients negotiate enterprise contracts — I can tell you the button isn’t evasion. It reflects something real about how these products are built and sold. Understanding the logic makes the process a lot less frustrating.

CDN to Origin Certificates: Your Own CA with OpenSSL

Tue, 15 Jul 2025 00:00:00 +0000

There’s a common assumption that because a CDN handles the TLS connection your users see — the certificate shown in the browser’s address bar — you don’t need to think too hard about certificates on your origin. That’s wrong, and the consequences show up as cryptic error codes rather than obvious failures.

A CDN like Akamai doesn’t act as a transparent tunnel. It terminates the TLS session from the client, inspects and processes the request, then opens a new TLS session toward your origin. Two separate connections, two separate certificate validations.

Is Google reCAPTCHA a DDoS Defence? The Cost Math Says No

Wed, 14 May 2025 00:00:00 +0000

There’s a category of question that gets asked quietly in Slack channels and in private post-incident reviews: “could we just use reCAPTCHA to handle this?” It’s not an unreasonable instinct. Google reCAPTCHA is already deployed on most sites, it can challenge suspicious traffic, and it costs nothing for the first ten thousand requests. As a lightweight speed bump, it has its place.

But “speed bump against DDoS traffic” and “speed bump against spam submissions” are very different things — and running reCAPTCHA into a volumetric attack has a financial profile that most teams haven’t priced out before they need to.

Do You Know How Your Customers Experience Your Site? Or Just Where They Go?

Thu, 10 Apr 2025 00:00:00 +0000

Most engineering teams I talk to have Google Analytics. A lot of them assume that means they understand how their site is performing. It doesn’t.

Google Analytics is an excellent tool for answering one set of questions: where do users come from, where do they go, what do they convert on, where do they drop off? It’s a behavioural map. It tells you the path. What it doesn’t tell you is what the path felt like — how long it took, how it degraded under load, which users are bouncing not because the content is wrong but because the page took five seconds to load on a 4G connection in Germany.

Is Your Website Ready for the Holiday Rush?

Tue, 03 Dec 2024 00:00:00 +0000

11.11 just happened. Black Friday is right behind it. Then Christmas, then New Year’s. If your platform survived Singles Day with headroom to spare, you might be tempted to relax. Don’t. Each of these events amplifies the same underlying gaps — and the ones that don’t show up under moderate traffic tend to surface spectacularly under peak load.

The preparation conversation usually focuses on infrastructure scaling: more instances, higher database connection limits, load balancer tuning. That’s necessary but not sufficient. Two factors that consistently determine whether a platform has a good or bad holiday season sit outside the application layer entirely: security posture and edge performance.