Last updated:


As of today, uptime and certificate checks are performed from the following locations:

IP addresses

The full list of IP addresses from where uptime and certificate checks are performed:

As a convenience, these lists are also available in the following formats:

If your firewall blocks incoming connections, make sure to whitelist these IP addresses to avoid false positives. For example, to whitelist IPv4 addresses in iptables, you can run the following idempotent bash script on most Unix systems (requires root privileges):


wget -qO /tmp/ipv4.txt

for ip in $(cat /tmp/ipv4.txt); do
  if ! iptables -L INPUT -nv | grep -q $ip ; then
    iptables -I INPUT -p tcp -s $ip -j ACCEPT

Note that these IP addresses might get updated from time to time. To ensure that you are automatically getting updates, run this script as a daily cron job as a root user. Since iptables rules do not persist through the server reboot, it is highly recommended to define a @reboot cron job as well.

User agent

Every HTTP request that workers send has a user agent string which is set to:

Hexadecimal/1.0 (+

This header can't be overwritten, by design.

If you are seeing any malicious traffic coming from this user agent, please get in touch.


If you track visitor data in your web analytics, you might want to exclude requests originating from workers' IP addresses to get more accurate reporting. Alternatively, you can filter out requests by the user agent since it is immutable.