[shkkmo]

Can't you just setup your CDN assets on a seperate domain with TLS termination so that you don't have to expose any non-static data to a 3rd party?

[gchambert]

Yes of course. The dynamic part of your site will still need protection, though. And if you offload static assets to a third-party, you'll have smaller pipes for non-static data, thus you are less likely to handle a DDoS. So you'll still need someone to protect your non-static data.