Skip to main content

❓403 — Site Blocking Scanner

How to clear a 403 error.

403 — Your site is blocking our scanner

What's happening

When we tried to scan your site, your security tool blocked our scanner from getting in. This is common with tools like Cloudflare, Wordfence, Sucuri, and other firewalls or security plugins.

It's a sign your site is well protected — but it also means we can't do our job until we're allowed through.

The fix

Instead of allowlisting IP addresses, our platform uses a custom authentication header to identify trusted scanner traffic.

You'll need to:

  • Log in to your AccessibilityChecker.org account.

  • Navigate to the Domain Settings section.

  • Click on Advanced Settings.

  • Scroll to the Custom Headers section.

  • You will now see a custom Header name and Header value field, which you will need to complete. For Shopify customers, you have the ability to add multiple custom headers, which is a requirement for your setup. More here.

Example:

  • Header name (use a non-standard header): X-MyScanner-Auth

  • Header value (random, hard-to-guess): 7f3b9e2a-4c1d-4d2b-9f6e-1a2b3c4d5e6f

Other formats that work:

  • Name: X-Custom-Access

  • Value: scanner-access--2025-09-26--R4nd0m

Tips:

  • Use a header name that starts with X- or is clearly custom to avoid conflicts.

  • Make the value long and random (UUID or cryptographic token).

  • Don’t use sensitive personal info in the header value.

You will now need to add these exact values to your security platform so requests containing the header bypass security checks.

The exact setup steps depend on which security tool you're using.

If you're using Cloudflare

Cloudflare's bot protection is one of the most common causes of 403 errors during scans.

How to allow our scanner through

  1. Log in to your Cloudflare dashboard and select the domain we're scanning

  2. Go to Security → WAF → Custom rules

  3. Click Create rule

  4. Set the rule name to something clear like:

    • Allow AccessibilityChecker scanner

  5. Under When incoming requests match:

    • Choose FieldHTTP Request Header

    • Enter the Header Name from your AccessibilityChecker.org dashboard

    • Set the operator to equals

    • Paste the Header Value from your dashboard

  6. Under Then take action, select:

    • Skip

  7. Tick all relevant WAF/security components

  8. Click Deploy

Important note

Cloudflare applies some mandatory checks before custom rules, especially on Free, Pro, and Business plans. If you've configured the header correctly and still see 403 errors, this may be the reason. Enterprise plans provide more granular control.

If you're using Wordfence (WordPress)

Wordfence is one of the most common WordPress security plugins and a frequent cause of scan failures.

How to allow our scanner through

Because Wordfence doesn't provide a simple custom header allowlist feature in the UI, the easiest approach is to create a rule or exclusion based on the custom request header.

Option 1 (recommended): Use Wordfence Firewall Allowlisting

  1. In your WordPress admin, go to:

    • Wordfence → Firewall → All Firewall Options

  2. Look for:

    • Allowlisted services

    • OR any section that supports request exclusions or bypass rules

  3. Add a rule that checks for:

    • The custom Header Name

    • And matching Header Value

  4. Save changes

Open Wordfence - All Firewall Options

Option 2: Use server-level exclusions

If your hosting setup uses Apache or NGINX with Wordfence Extended Protection enabled, you may need to add the exclusion at server level instead.

Your developer or hosting provider can configure the server to bypass Wordfence checks when the request contains:

  • Header Name: from your AccessibilityChecker.org dashboard

  • Header Value: from your AccessibilityChecker.org dashboard

Important note

Some Wordfence setups also use rate limiting. If scans are still being blocked after adding the header rule, check:

  • Wordfence → Firewall → Rate Limiting

and ensure requests with the custom header are not being throttled.

If you're using Sucuri

Sucuri's WAF sits in front of your site and can block our scanner before requests ever reach your server.

How to allow our scanner through

  1. Log in to your Sucuri dashboard

  2. Select the site we're scanning

  3. Go to:

    • Settings → Security

    • or Access Control (depending on your plan/interface)

  4. Create a bypass or allow rule based on a request header

  5. Configure the rule using:

    • The Header Name from your AccessibilityChecker.org dashboard

    • The Header Value from your dashboard

  6. Save and deploy the rule

Setting HTTP security headers in Sucuri

If you're using AWS WAF

AWS WAF allows you to create rules that bypass filtering when specific request headers are present.

How to allow our scanner through

  1. Open the AWS WAF Console

  2. Open the Web ACL protecting the site we're scanning

  3. Click Add rules

  4. Create a new custom rule

  5. Configure the rule to:

    • Inspect a Single Header

    • Use the Header Name from your AccessibilityChecker.org dashboard

    • Match the Header Value from your dashboard

  6. Set the action to:

    • Allow

  7. Move the rule above other blocking rules

  8. Save and deploy

Figure 10: Console screenshot configuring a custom response body for a rule

If you're using Shopify

Shopify uses Web Bot Auth to let merchants securely authorize crawlers, scripts, or tools to access their public Shopify online store.

To create a custom header in Shopify:

  1. Login to your Shopify store and go to to Online Store > Preferences under Shopify admin

  2. Find the Crawler access section and click on Create signature.

  3. Give the signature a name, select the domain, and set an expiration period (up to 3 months)

  4. Copy all three Signature-Input and Signature values

These are the values you will need:

Header Name

Value

Signature-Input

(copied from Shopify admin)

Signature

(copied from Shopify admin)

Signature-Agent

"https://shopify.com"

To add your custom headers to AccessibilityChecker.org:

  1. Login to your AccessibilityChecker.org dashboard

  2. Click on the kebab menu to access Domain Settings

  3. Click on Advanced Settings and scroll down to Custom Request Headers

  4. Click on Add Header three times to insert all of the required Header Names and Values

  5. Click on Update Domain

If you're using something else

If your firewall or security tool isn't listed above, the principle is the same:

  1. Find the section where you can create:

    • custom rules

    • bypass rules

    • request filtering rules

    • allow rules

  2. Configure the rule to trust requests containing:

    • the custom Header Name

    • and matching Header Value

  3. Set the action to:

    • Allow

    • Bypass

    • Skip security checks

    • Trust request

You can find the required header details in your AccessibilityChecker.org dashboard under:

  • Domain Settings

Common other platforms where this works

  • Imperva

  • Akamai Technologies

  • Fastly

  • Bunny.net

  • ModSecurity

  • Hosting provider firewalls

  • Reverse proxies and load balancers

Is this safe?

Yes.

The custom header acts like a private authentication token that identifies our scanner as trusted traffic. Only requests containing the exact header name and value will bypass your security checks.

All other traffic on your site remains fully protected by your firewall or security platform exactly as before.

Still not working?

Our team has already been notified about the 403 error on your domain and will help you resolve it step by step.

If you'd like to speed things up, reply to the error email you received with:

  • a screenshot of your security platform settings

  • the rule you've created

  • any error messages you're still seeing

We'll tell you exactly what needs to be changed.

Related Articles
🛠️ Managing Your Domain Settings
🧩 Adding Custom Headers for Restricted Environments
❓429 — Scanner rate limited
❓403 — Your sitemap is blocking our tool
Did this answer your question?