Currently someone aware of an OCS CDN installation can upload arbitrary image content without using OCS webserver to do so.
We would need to add an ini or config file to CDN which contains a private key, and a matching key in OCS webserver, so OCS CDN will deny uploads without the accompanying key. This will prevent unauthorized content from being loaded hidden from webserver.