This means that when a CDN service is used as a WAF, the web application it protects is open to Internet traffic, and is expected to validate that it responds only to web traffic that originates from and by the CDN service.

When this validation is lacking, backend applications can easily be directly accessed over the Internet.

So, misconfigured backends that don’t limit access to CDN sources can be fingerprinted through web scans. Seems like a big honking nothing-burger.