Are you sure the content is indeed uploaded to the FastDL server?
Show us your URL, you could be doing something wrong. Your URL is not hidden nor private, it doesn’t matter if someone knows your sv_downloadurl.
If someone joins your server and types sv_downloadurl without anything behind it, they will get to see your URL.
You can disable sv_allowupload if you do not plan on using sprays, for security, and if you have a FastDL server where everything is uploaded to, you might aswell disable sv_allowdownload. Net_maxfilesize only works for files that are downloaded from the server, not from a FastDL server. I’m not sure what cl_downloadfilter does, however, it’s a client command so I’m not sure if even does anything in your server.cfg.
If you want to make sure all your server’s content is on the FastDL server, use a program called SourceRSC