Exposure · Check
Origin IP reachable directly — preventing CDN/WAF bypass
If attackers can resolve and connect to your origin server's IP directly, they bypass every protection your CDN or WAF enforces — rate limits, bot blocks, geo restrictions, custom WAF rules, and DDoS mitigation. Cloudflare, Fastly, and Akamai all publish their egress IP ranges so origin firewalls can permit only edge traffic.
Why it matters
The fix is to allowlist the CDN's IP ranges at your origin firewall (Cloudflare's are at https://www.cloudflare.com/ips), reject Host headers that don't match your domain, and verify direct-IP requests return a deny response after the change.
Real-world risk
If attackers can hit origin IPs directly, they may bypass CDN/WAF protections, rate limits, and bot controls enforced at the edge.
Fix steps (in order)
- Restrict origin ingress so only your CDN/WAF egress IP ranges can reach ports 80/443 on the origin.
- Enforce host header and TLS SNI checks at the origin, and return deny responses for unknown edge paths.
- Re-test direct-to-IP access after firewall updates to confirm the origin no longer serves public traffic.
Verify the fix in 30 seconds
Run a Scorifya scan on the affected host after deploy. The same finding id (origin_ip_direct_access) clears once the externally-observable signal is in place.