❓429 — Scanner rate limited | AccessibilityChecker.org Help Center

429 — Your Site Is Rate-Limiting Our Scanner

What's happening

When we tried to scan your site, your security tool slowed our scanner down because it detected too many requests in a short period of time. As a result, the scan couldn't finish.

This is closely related to a 403 error. The difference is that instead of completely blocking our scanner, your security layer is throttling or rate-limiting it.

This commonly happens with tools like Cloudflare, Wordfence, Sucuri, and other firewalls, bot protection tools, or hosting security layers.

The fix

The solution is the same as for a 403 error: configure your security tool to trust our scanner traffic so it isn't rate-limited.

Our platform does this using a custom authentication header, not by allowlisting IP addresses.

You'll need to:

Log in to your AccessibilityChecker.org account.
Navigate to the Domain Settings section.
Click on Advanced Settings.
Scroll to the Custom Headers section.
You will now see a custom Header name and Header value field, which you will need to complete. For Shopify customers, you have the ability to add multiple custom headers, which is a requirement for your setup. More here.

Example:

Header name (use a non-standard header): X-MyScanner-Auth
Header value (random, hard-to-guess): 7f3b9e2a-4c1d-4d2b-9f6e-1a2b3c4d5e6f

Other formats that work:

Name: X-Custom-Access
Value: scanner-access--2025-09-26--R4nd0m

Tips:

Use a header name that starts with X- or is clearly custom to avoid conflicts.
Make the value long and random (UUID or cryptographic token).
Don’t use sensitive personal info in the header value.

You will now need to add these exact values to your security platform so requests containing the header bypass security checks.

The exact setup steps depend on which security tool you're using.

If you're using Cloudflare

Cloudflare's rate limiting, Bot Fight Mode, and WAF protections are one of the most common causes of 429 errors during scans.

How to allow our scanner through

Log in to your Cloudflare dashboard and select the domain we're scanning
Go to Security → WAF → Custom rules
Click Create rule
Set the rule name to something clear like:
- Allow AccessibilityChecker scanner
Under When incoming requests match:
- Choose Field → HTTP Request Header
- Enter the Header Name from your AccessibilityChecker.org dashboard
- Set the operator to equals
- Paste the Header Value from your dashboard
Under Then take action, select:
- Skip
Tick all relevant WAF/security components
Click Deploy

Important note

Cloudflare applies some security checks before custom rules, especially on Free, Pro, and Business plans. If you've configured the rule correctly and still receive 429 errors, this may be why.

If you're using Wordfence (WordPress)

Wordfence commonly triggers 429 errors through its rate limiting and brute-force protection settings.

How to allow our scanner through

Because Wordfence doesn't provide a simple custom header allowlist feature in the UI, the easiest approach is to create a rule or exclusion based on the custom request header.

In your WordPress admin, go to:
- Wordfence → Firewall → All Firewall Options
Look for:
- rate limiting
- allowlisted services
- request exclusions
- or advanced firewall rules
Create a bypass or exclusion rule using:
- the custom Header Name
- and matching Header Value
Save your changes

Also check rate limiting settings

Go to:

Wordfence → Firewall → All Firewall Options → Rate Limiting

Make sure requests containing the custom header are not being throttled or blocked.

If you're using Sucuri

Sucuri can trigger 429 errors when its WAF or anti-bot protections detect high request volume.

How to allow our scanner through

Log in to your Sucuri dashboard
Select the site we're scanning
Go to:
- Settings → Security
- or Access Control
Create a custom bypass or allow rule based on a request header
Configure the rule using:
- the Header Name from your AccessibilityChecker dashboard
- the Header Value from your dashboard
Save and deploy the rule

If you're using AWS WAF

AWS WAF rate-based rules can block or throttle scanners when many requests are sent quickly.

How to allow our scanner through

Open the AWS WAF Console
Open the Web ACL protecting the site we're scanning
Add a new custom rule
Configure the rule to:
- inspect a Single Header
- match the Header Name from your AccessibilityChecker dashboard
- and the matching Header Value
Set the rule action to:
- Allow
Move the rule above any rate-based or blocking rules
Save and deploy

Figure 10: Console screenshot configuring a custom response body for a rule

If you're using Shopify

Shopify uses Web Bot Auth to let merchants securely authorize crawlers, scripts, or tools to access their public Shopify online store.

To create a custom header in Shopify:

Login to your Shopify store and go to to Online Store > Preferences under Shopify admin
Find the Crawler access section and click on Create signature.
Give the signature a name, select the domain, and set an expiration period (up to 3 months)
Copy all three Signature-Input and Signature values

These are the values you will need:

Header Name	Value
Signature-Input	(copied from Shopify admin)
Signature	(copied from Shopify admin)
Signature-Agent	"https://shopify.com"

To add your custom headers to AccessibilityChecker.org:

Login to your AccessibilityChecker.org dashboard
Click on the kebab menu to access Domain Settings
Click on Advanced Settings and scroll down to Custom Request Headers
Click on Add Header three times to insert all of the required Header Names and Values
Click on Update Domain