Under attack?Get protected

Developers

Guides and API reference for connecting domains and integrating HotWall

FAQ: Answer our questions

  • What is Hotwall?

    Hotwall is a cloud-based WAF (Web Application Firewall) and DDoS protection system, you connect your domain and all traffic passes through our network, where malicious requests are filtered before they reach your server

  • How do I connect a domain?

    Go to Domains, click "Add Domain", enter your domain and server IP address, then update DNS records at your registrar - see the "How to Connect a Domain" guide below for the exact steps

  • What plans are available?

    We offer a free plan with basic protection and several paid plans with advanced features: higher limits, custom firewall rules, priority support, and more, view plans on the Tariffs page

  • How does DDoS protection work?

    Once your domain is connected, all incoming traffic is routed through our network, we analyze each request in real time using rulesets and behavioral analytics, suspicious visitors are shown a Challenge page, while malicious traffic is blocked, legitimate users reach your site without delay

  • How do I configure firewall rules?

    Open the domain in Domains, go to the "Firewall" tab, there you can create rules based on IP, country, URL, User-Agent, and other parameters, each rule is assigned an action: Pass, Challenge, or Block

  • How does the referral program work?

    Share your referral link with friends, when they sign up and purchase a paid plan, you earn a commission, withdrawals are available after 2 sales, learn more on the Referrals page

  • How do I top up my balance?

    Go to Billings and click "Top Up", we accept crypto and other payment methods, once the transaction is confirmed, your balance updates automatically

How to connect a domain

Instructions for connecting a Domain

1

Remove old DNS records

Remove all existing A and AAAA records from your DNS manager before adding new records

2

Add CNAME record

Add a CNAME record targeting hotwall.app, exactly hotwall.app, not an example value

3

Disable proxy

Proxy Status must be disabled, in Cloudflare turn off the orange cloud and use DNS only mode

Hiding your origin IP from scanners

How to hide your real server IP from Censys, Shodan, and ZoomEye

Important: set up protection before exposing your server via the domain. If the backend was already publicly accessible, scanners may have already indexed its real IP

1

Set up protection first

Before pointing your domain to the backend, configure protection through Hotwall. If the server is already reachable under that domain, scanners like Censys, Shodan, and ZoomEye may already know its real IP. Correct order: add domain in Hotwall → set DNS CNAME to hotwall.app → verify traffic flows through Hotwall

2

Configure your server to respond only to your domain

Configure your origin server (Nginx/Apache) to serve your site only when requests arrive with the correct Host header (your domain). All other requests - direct IP or wrong Host - should return 404. This prevents scanners from discovering site content behind your IP

Nginx Configuration
# Default: return 404 for unknown Host / direct IP
server {
    listen 80 default_server;
    listen 443 ssl default_server;

    ssl_certificate     /etc/ssl/certs/dummy.crt;
    ssl_certificate_key /etc/ssl/private/dummy.key;

    return 404;
}

# Your real site
server {
    listen 80;
    server_name yourdomain.com;
    # ... your config ...
}
Apache Configuration
# Default: return 404 for unknown Host / direct IP
<VirtualHost _default_:80>
    Redirect 404 /
</VirtualHost>

<VirtualHost _default_:443>
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/dummy.crt
    SSLCertificateKeyFile /etc/ssl/private/dummy.key
    Redirect 404 /
</VirtualHost>

# Your real site
<VirtualHost *:80>
    ServerName yourdomain.com
    # ... your config ...
</VirtualHost>
3

Restrict server access

Optionally restrict incoming connections on ports 80/443 to Hotwall's IP ranges only via firewall (iptables/ufw). Contact support for the full list of IP ranges

Common Mistakes

Don't leave old A / AAAA records

A CNAME cannot coexist with A or AAAA records on the same hostname, remove them first, otherwise DNS resolution will break

Cloudflare proxy must be OFF

Keep the record in DNS only mode (grey cloud), with the proxy enabled traffic bypasses Hotwall and protection will not work

Check the correct hostname

Make sure you add the CNAME for the right hostname: @ for the root domain, www for the www subdomain, need both? Create two separate CNAME records

Enterprise API

White-Label options

White-label DDoS protection for providers to resell under their own brand

Automatic protection activation

Protection is activated automatically after the setup process is completed

Automatic domain management

Domain management is handled automatically after the setup process is completed

Bulk client management

Bulk tools for managing multiple clients and protection setups at scale

Hosting and partner integration

Hosting and partner integration for connecting protection setup with provider and partner workflows