Configure Server Access
How to allowlist CodeWall's infrastructure so it can reach your targets.
If your target is behind a firewall, WAF, or IP allowlist, you'll need to grant CodeWall access.
Allowlist before testing
For complete and accurate results, configure your firewall and WAF before launching a test. If CodeWall's traffic is blocked, the test will still run but may produce fewer findings and take significantly longer.
Identifying CodeWall traffic
Every outbound HTTP request from a CodeWall test worker carries two headers:
| Header | Example value | Purpose |
|---|---|---|
X-CodeWall-Run-Id | run_01JBX… | Links the request to a specific test run. Use this to correlate traffic in your access logs. |
User-Agent | …CodeWall/1.0 (+https://scanner.codewall.ai) | Appended to the existing User-Agent string so you can filter or allowlist by substring. |
You can use these headers to build WAF rules, filter access logs, or verify that traffic is coming from a legitimate CodeWall test.
CodeWall IP allowlist
CodeWall's testing infrastructure operates from fixed reserved IPs in four regions. These are the only addresses our scanners egress from — every outbound packet from a CodeWall test run is SNAT'd to one of these IPs. We do not use dynamically-allocated cloud IPs, and any CIDR ranges we previously published are no longer relevant.
| Region | Location | IP address |
|---|---|---|
lon1 | London, UK | 209.38.170.234 |
ams3 | Amsterdam, NL | 188.166.134.209 |
fra1 | Frankfurt, DE | 129.212.194.135 |
nyc1 | New York, US | 168.144.12.133 |
Allowlist all four — any one may appear depending on which region the test is dispatched to. If you ever see traffic claiming to be CodeWall from any other IP, it isn't us; please report it to [email protected].
Firewall configuration
Add the four CodeWall reserved IPs above to your firewall allowlist:
AWS Security Groups
- Navigate to EC2 > Security Groups
- Select the security group for your target
- Add inbound rules allowing traffic from CodeWall's IPs on the relevant ports (typically 80, 443)
Cloudflare
- Go to Security > WAF > Tools
- Create an IP Access Rule for CodeWall's ranges with action Allow
Other providers
Add CodeWall's IPs to your provider's allowlist. The specifics vary — consult your provider's documentation.
WAF considerations
Web Application Firewalls may block CodeWall's testing traffic. Options:
- Allowlist CodeWall's IPs in your WAF rules — recommended for production testing
- Disable WAF for the test account's traffic (if possible) — provides the most complete results
- Leave WAF active — CodeWall will test against the WAF, which is realistic but may reduce finding count
Impact of WAF blocking test traffic
When a WAF actively blocks CodeWall's testing traffic:
- Reduced finding count — exploit payloads are blocked before reaching the application, so vulnerabilities behind the WAF may not be discovered
- Slower scans — rate limiting and request blocking cause retries and longer test duration
- Incomplete coverage — entire attack classes (e.g. SQL injection, XSS) may be untested if the WAF blocks those payload patterns
CodeWall detects WAFs during reconnaissance and will display a warning on the test detail page if one is found.
Rate limiting
If your application has rate limiting:
- Allowlist CodeWall's IPs from rate limits, or
- Configure a higher rate limit threshold for testing IPs
- If you can't adjust rate limits, CodeWall will automatically pace requests, but testing will take longer
DNS and hosts
If your target uses a private DNS or is accessible via a specific hostname:
- Ensure the hostname resolves to a publicly accessible IP, or
- Contact support to configure custom DNS resolution for your test
Verifying access
After configuring access, verify that CodeWall can reach your target:
- Create a new test with your target URL
- CodeWall runs a pre-flight connectivity check before starting
- If the check fails, review the error message and adjust your configuration