Skip to Content
Network SetupHosting Provider Permissions

Hosting Provider Permissions

Some hosting providers have policies that restrict or prohibit security scanning of applications hosted on their infrastructure. Before scanning, you may need to obtain permission from your hosting provider or notify them in advance.

Why This Matters

Detectify’s scanner sends security testing payloads that can resemble attack traffic. Hosting providers that monitor for malicious activity may:

  • Block the scanner’s IP addresses
  • Throttle or rate-limit requests
  • Flag your account for suspicious activity
  • Temporarily suspend your service

Obtaining permission in advance prevents these issues and ensures your scans complete successfully.

Providers That May Require Permission

WPEngine

WPEngine’s terms of service restrict security scanning. Before scanning a WPEngine-hosted site:

  • Contact WPEngine support to request permission for security testing
  • Provide the scanner IP addresses and the expected scan window
  • WPEngine may need to temporarily adjust their WAF rules for your site

HubSpot

HubSpot-hosted sites are on shared infrastructure with security controls that may block scanner traffic:

  • Contact HubSpot support before scanning
  • Provide details about the scan scope and timing
  • Some HubSpot plans may not permit external security scanning

Akamai

If your site uses Akamai’s CDN and security services:

  • Akamai’s bot detection may block scanner traffic
  • Contact your Akamai representative to allowlist Detectify’s scanner IPs
  • See Allow Through WAF for WAF-specific configuration

Shopify

Shopify-hosted stores have security restrictions:

  • Shopify’s infrastructure includes built-in protection that may block scanning
  • Contact Shopify support to discuss security testing options
  • Some Shopify plans restrict external scanning

Google Cloud Platform

Google Cloud requires notification before conducting security testing:

  • Review Google Cloud’s Acceptable Use Policy  for security testing requirements
  • Google requires that you notify them before performing penetration testing on Google Cloud-hosted resources
  • No formal approval is needed, but notification is required

General Recommendations

For any hosting provider not listed above:

  1. Review the provider’s terms of service for clauses about security testing or penetration testing
  2. Contact the provider’s support team before scanning to notify them and ask about any restrictions
  3. Provide scanner details including IP addresses, expected scan duration, and the target URLs
  4. Document the permission received for your compliance records
  5. Schedule scans during low-traffic periods to minimize any impact on shared infrastructure

When Scanning Is Blocked

If your hosting provider blocks scans despite your permission:

  • Ask the provider to allowlist Detectify’s scanner IP addresses at the infrastructure level
  • Consider using Internal Scanning with a locally deployed agent, which scans from within your network
  • If the provider cannot accommodate external scanning, discuss alternative security testing approaches with your Detectify account team
Last updated on
Allow Through WAFScanner IP Addresses