API
The Gcore Customer Portal is being updated. Screenshots may not show the current version.
Web security
Web security
BillingCreate protected resourceUse Web Security and CDNConfigure protection settingsAdd an SSL certificateRate LimiterSet the Access PolicyDeny accessSet the X-Forward-For headerCheck reports
View eventsCreate rulesRule typesManage triggersSettings
How do I change an A record?What criteria do you analyze?I see lots of requests from several IPs. Could this be an attack?I changed my A record long time ago, but you are not filtering it. What to do?Attackers have found out my origin IP and are attacking it directly. What should I do? directly. What should I do?Who is attacking us?Will a blacklisted user get unblocked after a particular time?During a DDoS attack, we changed your IP address, but we still have problems with the performance. Why?Do you protect against attacks targeted at DNS?Can you disable the protection for some time for the entire site or certain parts of the site?How long does the service enabling take?Which web crawlers doesn't your service block?Force an IP banGet all banned IP addresses for all resourcesRenew SSL certificates
API
Chosen image
Home/Web security/Configure protection settings

Configure additional protection settings

Good website protection requires a layered approach. We described the main settings in the "Create and configure resource under protection" article. Implement additional protective measures to minimize the website vulnerability.

Change your IP

An attacker can get your real IP using DNS History and attack it directly. Get a new IP and put it in the "Original IP" field in the Control panel. Don't mention/publish the IP anywhere else.

Check your DNS records

If you have subdomains or other records that point to the real IP, change them to another IP.

Check your HTML code

Ensure that your HTML code doesn't have references to your real IP.

Set IP access policy

Limit access to your server for all but our subnets and some trusted IPs. We mention ways to set the limits in the "Deny access to everyone except trusted IPs and Gcore subnets" article.

Configure your mail service

Configure a separate email server. If you are running your mail server on the same server as your website, an attacker can find your origin server IP.

Restore users' IP addresses

Configure the X-Forwarded-For HTTP header to restore real visitors' IP addresses. Otherwise, you will see requests only from our subnets.

Reduce server load

Move the static assets (images, video, css, JavaScript) to a subdomain and use CDN to deliver them. It reduces server load and bandwidth. 

IPv6

By default, we protect only IPv4 addresses, so if your website is also available via IPv6 we recommend removing the A record for IPv6 address from your DNS settings or adding protection for it. The IPv6 protection can be added by request. For details, reach us via chat or email to support@gcore.com.

Was this article helpful?

Not a Gcore user yet?

Discover the all-in-one Web security solution by Gcore

Go to the product page
Edit on GitHub