Abuse Prevention

Apply.Build blocks certain network activity at runtime to prevent abuse of the platform. This page explains what is blocked and why.

Blocked DNS lookups

DNS resolution for the following categories is blocked at the platform level:

Known malware and phishing domains — identified via threat intelligence feeds
Domains associated with DDoS amplification — to prevent your app from being used as a reflector

If your app needs to resolve a domain that is incorrectly blocked, contact support.

Blocked outbound domains

The following outbound domains are blocked during app runtime:

Cloudflare Argo Tunnel endpoints

Cloudflare Argo/Tunnel endpoints (e.g. *.argotunnel.com) are blocked. These services can be used to create reverse tunnels that bypass network controls.

GitHub Artifacts during runtime

Access to GitHub's artifact download endpoints is blocked during runtime. Build-time access to GitHub (for cloning, package downloads, etc.) is unaffected.

Rationale: Runtime artifact downloads can be used to exfiltrate data or fetch unreviewed payloads. If your app needs artifacts at runtime, download them during the build step and include them in your deployment artifact.

Why these restrictions exist

Apply.Build is a shared platform. These restrictions help us:

Protect other tenants — prevent one app from affecting others
Maintain IP reputation — keep Apply.Build's IP addresses off blocklists
Comply with regulations — meet EU hosting requirements for abuse prevention

Reporting false positives

If a legitimate domain is blocked, open a support ticket with:

Your app ID
The blocked domain
Why your app needs access

We review requests within one business day.