Disable Web Application Firewall (WAF) bypass
If someone knows your hidden Hosting IP, they can bypass your Web Application Firewall (WAF) and try to access your website directly. It's not common or easy to do, but for additional security, we recommend only allowing HTTP access through your WAF. You can limit access to your website by adding a restriction to your
Warning: Wait until your DNS changes have fully propagated before following the directions below. This can take up to 24 hours after you've set up your WAF.
- Go to your GoDaddy product page.
- For Website Security and Backups, select Manage All.
- For the site you want to configure, select Details under Firewall.
- Select Settings.
- Select Security and scroll down to Preventing Firewall Bypass.
- Select your server type. For Apache servers, add the code to your
.htaccessfile. For NGINX, you'll need to add the code to your NGINX configuration file.
- If you're using IIS, instructions vary between versions - IIS 7 and IIS 8. You can also try to use web.config file to prevent bypass.
- Are you getting a 500 error code after adding the bypass prevention rules? Remove the line referring to IPv6 from the bypass prevention code and see if the error is gone. It can take a few minutes for the 500 error to clear after removing that line.