As of May 2026, at least four major CDN providers — Google (fronted via www.google.com), Fastly (fronted via www.python.org), Vercel (fronted via nextjs.org), and Netlify/CloudFront (fronted via kubernetes.io) — route requests based on the HTTP Host header regardless of the outer TLS SNI, enabling domain fronting across more than 20 distinct high-value destinations. The correct fronting SNI for each CDN is selected by inspecting the SAN list of the CDN edge certificate and choosing a co-hosted domain the censor permits.
From 2026-patterniha-mitm-domainfronting — MITM-DomainFronting: client-only domain fronting via local TLS MITM with a user-installed CA
· README / Supported destinations
· 2026
· GitHub (1.5k stars; merged into XTLS/Xray-core via PR
Implications
Maintain a live, CDN-keyed fronting map built from SAN-list inspection rather than hostname assumptions — patterniha's config (20 versioned releases through May 2026) is the most current public reference for which CDN edges still tolerate SNI/Host mismatch.
Use verifyPeerCertByName-style SAN validation rather than hostname matching in outbound TLS config, so the correct CDN edge cert is accepted even when the dialed SNI differs from the intended destination.