Restrict IP Disclosure in CDNs
Avoid sharing web server IPs and limit access to them by CDNs and authorised networks for security.
Plain language
This control is about making sure only certified networks, like Content Delivery Networks (CDNs), know the IP addresses of your web servers. If these IP addresses get into the wrong hands, cyber attackers could bypass your security and directly attack your servers.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingOfficial control statement
If using CDNs, disclosing the IP addresses of web servers under an organisation's control (referred to as origin servers) is avoided and access to the origin servers is restricted to the CDNs and authorised management networks.
Why it matters
Exposing origin server IPs enables attackers to bypass CDN protections, directly target the origin, and cause outages or data compromise.
Operational notes
Maintain allowlists so origin servers only accept traffic from CDN egress IP ranges and authorised management networks; review and update rules when CDN IPs change.
Implementation tips
- The IT team should configure the web server settings to hide the server's IP addresses from the public. They can do this by using tools that mask the IP and ensure only the CDN has access to it.
- Network administrators should set up firewall rules to restrict access to the servers. Only the CDN's range of IP addresses and any other authorized networks should be allowed through.
- Security managers should regularly review who can access the web servers. They need to ensure that only authorized personnel and CDNs have IP access, updating these permissions regularly.
- Web developers should use the features of CDNs that help secure IP addresses from being disclosed, such as IP masking or proxy settings offered by the CDN service.
- The operations team should train staff on why keeping web server IPs secret is essential. This can include security awareness sessions explaining how revealing these IPs can lead to potential risks.
Audit / evidence tips
-
Askthe network access control list: Request the document showing which IPs are allowed to access the web servers
Goodshould not include any unauthorized IP addresses
-
Askpolicies that outline how IP addresses are concealed and restricted
Goodis a detailed procedure document with clear steps and assigned roles
-
Asklogs of server access attempts: Request logs that show who has tried to connect to the servers
Goodshows only access from the CDN and authorized partners
-
Aska demonstration of the firewall settings on relevant servers
Goodshows that only authorized IP ranges are present
-
Askto see any security incident reports involving IP exposure: Request documents or reports concerning past incidents related to IP address exposure
Goodshows that no such incidents have occurred, or if they have, how they were resolved and prevented from recurring
Cross-framework mappings
How ISM-1439 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| Annex A 8.3 | ISM-1439 requires restricting access to origin web servers so only CDNs and authorised management networks can reach them, and avoiding d... | |
| Annex A 8.20 | ISM-1439 focuses on protecting origin servers behind CDNs by preventing IP disclosure and enforcing network access restrictions to only t... | |
| Annex A 8.22 | ISM-1439 requires organisations using CDNs to avoid disclosing origin server IP addresses and to restrict origin access to the CDN and au... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.9 | ISM-1439 requires specific secure configurations to hide origin IP addresses and restrict origin access to CDN and authorised management ... | |
| extension Depends on (1) expand_less | ||
| Annex A 5.15 | ISM-1439 requires a defined approach to preventing origin IP disclosure and restricting origin server access to CDNs and authorised manag... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.