How to protect a server's IP from being exposed?

My forum has CloudFlare and when inserting a URL from this service, I can get the real IP of my server, this is a big gift for DDoS attacks.

I checked it on the Discourse Meta and this forum don’t have URL-filtration too.

Blocked domain by IPlogger can’t help because the attacker can use a custom domain using the script for logger ip address. I think need use whitelist to filter domain who can use onebox.

Example: if admin allow only url from Youtube, Twitter, Imgur, all other url will be blocked.

Maybe Discourse have this setting? I can’t found :frowning:


Setting blocked onebox domains and allowed inline onebox domains in this page /admin/site_settings/category/onebox not work.

I create this rules:

Onebox show it:

We don’t have a complete end-to-end guide on doing this, but here are other relevant topics:


I think I found a solution with setting CSP. I managed to allow images only from my domain, need time for the dough and I will share the decision.