> But it's possible to hit this button again and re-enable Cloudflare forwarding temporarily if we find ourselves under attack, so I figure this is a good option.
Plan to redeploy your production server to a new IP address too since the attacker will still be able to hit it directly.
Considering that the website the articles refers to is hosted on DigitalOcean, in this case the problem would be DigitalOcean's DDoS policy, which is basically null route the IP traffic for 4 hours or so when an attack is detected.
> This means we are now just using Cloudflare for DNS. But it's possible to hit this button again and re-enable Cloudflare forwarding temporarily if we find ourselves under attack, so I figure this is a good option.
Without this enabled, attackers know what your backend IP address is, so even if you enabled it later, they could continue to DDOS your IP directly, without doing a DNS lookup.
You'd only get what you want if you both re-enabled this and switched to different IP addresses.
Also the Cloudflare cookie is clearly for technical purposes, not marketing. So no consent is needed under GDPR, in my understanding. Getting rid of it didn't accomplish anything useful.
I enjoyed the post and appreciate that more people are looking for privacy focused alternatives to traditional vendors.
Though I'm disappointed hear that one of the conclusions seems to be there's no privacy-focused chat vendor that does something as simple as not collecting identifying information on users until they interact with the chat app, with integrated consent collection (which is essentially what they've implemented with their fork).
Maybe the wider HN community might know of such a service?
At least under EU cookie laws and GDPR you shouldn't need a consent banner for Cloudflare cookies, as they provide essential functions (for availability and security) and don't track users. You might have to mention them and their purpose in your privacy policy though.
You might be kind of wrong. I think you don't need consent. But the cookie law still requires notification banner (which is basically the same thing). That's because cookie usage by itself (no matter the purpose) requires notification.
It's a bit unfortunate, there was a follow-up to this law that much improved the cookie nagging, but unfortunately it seems to have been stopped in it's tracks by lobbyists because of its restrictions on ad tracking.
"""
Are we required to provide information and obtain consent for all cookies?
No – PECR has two exemptions to the cookie rules. Regulation 6(4) states that:
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information -
(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
"""
Strictly nessesary includes "Cookies that help ensure that the content of a page loads quickly and effectively by distributing the workload across numerous computers (this is often referred to as ‘load balancing’ or ‘reverse proxying’)". That covers at least one of the Cloudflare cookies directly, and gives good indication that the other two also qualify.
But the regulator guide is about GDPR. And it's consistent with what I wrote - GDPR law does not require consent for such cookies. So the regulator is ok with no consent.
Apart from GDPR law, there's also separate EU Cookie Legislation which was passed before GDPR. This regulation require clear user notification (not consent) that cookies are used. As far as I know (but I might be wrong, I don't follow it) this law is still in place and GDPR did not replace it. So that means you still need cookie notification banner (but not with "I accept" button but with "I understand").
No that's not true, look at article 5(3) of the directive, it exempts strictly necessary cookies as well (it doesn't reference cookies in particular but applies to all kinds of storage technologies instead): https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX...
I am not sure what exactly do you mean is not true. But in fact the article you linked says about pre-gdpr cookie consent. So it kind of contradicts what I said. But in practice to gather such consent it was allowed to say "if you don't consent, please disable cookies in your browser" and that's what I meant about "I understand" button. Regarding the exempt for this notification, I am not sure if CF cookies should be considered as strictly necessary.
The cookie law is no more. GDPR superseded it. It requires user consent, but only in some cases. Under GDPR, cookies that are not "personal information" (those that do not track users) do not require consent.
This is a common misconception. The GDPR is about protecting user's information, it's not really about cookies (the entire 88 page law mentions cookies only once).
The ePrivacy Regulation is intended to replace the cookie law (ePrivacy Directive) eventually, but it hasn't yet.
Netlify doesn't seem to have a consent banner but sites hosted on it don't set cookies, despite using Cloudflare (at least that's my experience hosting a blog on it).
The problem with _cfduid is that it is essentially a third-party cookie (even if it's set on your own domain).
So I think you are still required to inform users of the cookie usage, the purpose of the cookies and link to the relevant Cloudflare privacy/cookie policies.
They wanted to get rid of cookies as much as possible as that's part of their business plan (privacy). So they found a better CDN that didn't use cookies at all, so I'd say they made out like a bandit.
You can upload files with their API using cURL and the --upload-file parameter. I wrote a shitty bash script to upload images[1] to it which should help you, if you still need it or want to give it a try.
This is a really good write up! I wish more companies and SaaS put this the cookie-less directive on top of their priorities.
We are do the same, expect we have a jwt-cookie, but which is strictly bound to our domain. Additionally we avoid third-party scripts and apps, fonts or things like the facebook commenting system. Basically all stuff sending user traces to foreign parties. We did a write-up about this here, if you are interessted, how we did it: https://www.tredict.com/blog/we_do_not_track_you/
Isn't the problem about actual tracking and not the cookies?
If you track someone without using any cookie you still need to ask for consent.
I kind of don't understand the this post. Can someone explain why is it okay to track someone without cookie?
Exactly - cookies are only the most used because they have the largest support by browsers (going back 10 years). If you used purely local storage instead, you’d still need consent to track.
GDPR regulates tracking individuals, and is not particular about the means or form. On the whole, GDPR is pretty sensible.
There is an older law called the ePrivacy Directive that regulates cookies. Under this law, cookies require consent even if they are not used for tracking, unless they are strictly necessary for technical reasons. This law is a big pain the butt because many reasonable and legitimate uses for cookies aren't "strictly necessary."
The ePrivacy Directive technically applies to reading or writing data from a browser, so it will equally apply to any fingerprinting method you care to think of.
Assuming Apple is only using cookies for technical purposes, like providing a way to log in or use a shopping cart, then there is no need to use a banner. Google needs the banner because they are using cookies for advertising and tracking purposes, and you can probably guess why there's no way to decline
I was recently tasked with making an "Accept our use of cookies" banner for our public site. Before that banner we did not store any cookies at all; now we have one to store their consent.
That doesn't prevent dark UI patterns to highlight "Accept" and hide "Reject" as much as possible, or not having a "Reject all" button. Some sites deliberately make you manually click on "Reject" for each "ad partner", at which point I bail out or disable JS or scrape the text if I'm really interested in the content.
The web of 2020 has become a hostile and ad infested place. I miss the simplicity of the 90s, but it might be nostalgia bias.
To be fair the web of the early 2000s was full of ads too. I remember a time when people still used Yahoo as their homepage which was basically just a giant ad delivery platform with even more invasive ads than we have today. That's not to say that today is much better. It seems like most sites today try to walk the line between ad revenue and user retention.
The new dark pattern is to default everything off, but then have a separate switch labelled "legitimate reasons", which are all turned on for default.
For example https://www.telegraph.co.uk/ (right wing UK newspaper). In the pop-up it says "You can also review where our partners claim a legitimate interest to use your data and, should you wish, object to them doing so.".
If you click manage it opens with "user consent" selected, where everything is turned off. Click save means they're not going to start tracking you, right?
Wrong, if you switch to "legitimate purpose", you'll see that everything is turned on. All those ad companies claim they have a legitimate purpose to be tracking you, even though you have zero business relationship with them.
Unless the ICO hands out some very heavy fines to those companies, the whole thing's become a farce, just like the cookie law was.
(PDF) Irish DPA's sweep of thirty-odd websites under its jurisdiction. Lots of good guidance here, but for the point specifically under discussion, ctrl+f "nudge." https://www.dataprotection.ie/sites/default/files/uploads/20... by the DPC on the use of cookies and other tracking technologies.pdf
Filed bankruptcy? No problem. Just make the credit companies forget about it!
After moving from the US to the EU, I've thought about trying to use that right on my credit history in the US. I don't think it would work, but it would be entertaining if they even responded.
The right to erasure does not apply if processing is necessary for one of the following reasons:
to exercise the right of freedom of expression and information;
to comply with a legal obligation;
for the performance of a task carried out in the public interest or in the exercise of official authority;
for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
for the establishment, exercise or defence of legal claims.
The GDPR also specifies two circumstances where the right to erasure will not apply to special category data:
if the processing is necessary for public health purposes in the public interest (eg protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or
if the processing is necessary for the purposes of preventative or occupational medicine; for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services.
For more information about special categories of data please see our Guide to the GDPR.
Respectfully, educating stakeholders is part of your job. Until you accept and embrace that, you're likely to remain stuck in roles doing useless things.
If they heard from legal they need it and legal hourly rate is greater than engineering hourly rate, they will rather waste engineering time than spend legal time to save engineering time.
Attempting to educate stakeholders is part of your job. Forcing them to accept your reasoning may not be possible and they may have other reasons for their decisions that you may not know about or they may not wish to reveal (legal, marketing, internal politics, etc).
And at some point in pushing back, disagree-and-commit is the right thing to do.
Since the topic touches law, it's more complex to some people than you might think. To us it's obvious, but someone else might think that they better be safe than sorry and not get sued for accidentally setting a (non-essential) cookie somewhere without letting the user know. I definitely know some people who'd rather implement such "unnecessary" things than exposing themselves to a potential legal trap.
I would recommend thinking like a lawyer and writing a memo like one. Legal writing and analysis follows a very common pattern known as IRAC (Issue, Rule, Analysis, Conclusion):
(1) Identify the issue; (2) Quote all relevant rules; (3) Analyze the rules in light of your specific factual circumstances; and (4) Reach a reasonable conclusion based on your analysis of the rules.
This is how your company's legal team is making recommendations to management. You have to fight fire with fire. The only advantage your legal department may have over you is access to more comprehensive legal research services like Westlaw and LexisNexis. But at the end of the day, all they're doing is researching what the law is and how the courts are interpreting the law. Search for the right terms on Google, and you can do a pretty damn good job at crafting credible arguments. We don't need the lawyers always acting like they're at the top of the food chain.
You might instead consider asking people why they're asking, and figuring out ways to promote more widespread understanding.
Concretely: you might actively promote adblockers and tell people why they should use them. And rather than saying "we don't use tracking cookies", you could explain "here's why so many sites have cookie banners, here's why we don't".
I'm not suggesting doing it proactively; I'm suggesting doing it in response to the question, if people repeatedly ask the question. "No, and here are other ways to protect yourself" is stronger and more definitive than just "no".
Lawyers would argue that it might be a good idea to put up a sign if your neighbors have a dog that could attack them.
(weak argument but somewhat funny).
Lawyers are ultra cautious. If you can -guarantee- that no one is going to magically add tracking/google analytics or some such to your site than sure, tell them you don't need the banner.
Yeah, and I don't hold it against very early stage startups or Show HNs. But if your company has lawyers in-house preparing these texts, that's more surprising then.
Eventually we'll add an analytics plugin and need the banner. But at the time it was one of those "every site has one" decisions from non-technical folks. Similar frustration with arbitrary password requirements on the same site.
Probably an unpopular opinion - but if you do not have a physical presence in the EU, and you're not the size of some Unicorn corp, you can completely ignore these silly cookie banners for now and instead focus on things that actually matter for your startup.
My "dysfunctional product design process" alarm is going off.
The idea of implementing an annoying popup to support something you _might_ do in the future for any reason is madness.
And do they not realize that user credentials are a huge liability? Why would you want to support anything related to user identity if you don't need to.
I don't think it is irrational ot madness at all. Imagine having to switch developers and then you ask for analytics from your new developer. Very easy to happen that they could forget about the cookie banner.
I would go as far as to say it is wise to deal with it once and for all.
Especially since implementing the banner takes such short amount of time. Worrying about it will waste many times more brain cycles and once again there is always a chance someone forgets about it in the future and legal worries will be infinitely more costly.
What are we as technical operators even good for if our counsel, judgment and recommendations (things I thought we were even hired for as valuable key contribution points) are frequently overridden by non-technical people who in the best cases don’t understand the evidence shown, in the worst don’t even care to?
Well, if you use Cloud Armour and you try to change the password it apparently doesn't like the password to start with $ and then this blocks the whole request.
Two options to solve disable the specific rule or change the password requirements. Sometimes the latter is the easiest in some companies.
At least 90% of the banners I get hit with around the web are automatically not GDPR compliant because they require you to opt out. It's amazing to think of the effort that's been expended implementing them while still failing to follow the law.
I'd call it a legal fig leaf, but it doesn't cover up anything at all.
I've been thinking of trying to combine self-hosted analytics and adding ad info in the urls of ads so I can track if a user arrived at my site via an ad without divulging that to any third parties.
Has anyone tried something like that? Did it work? Obviously what you give up is retargeting but that may have to go anyhow.
Tracking ads via URL parameters is pretty standard (utm parameters), and self-hosted matomo can be set to run without cookies. This means that some metrics can't be tracked [1]. The most impactful of those is attributing people to a campaign if come via an ad, view your website, but only convert after leaving and coming back some time later.
If you leave cookies enabled everything just works just just as you would expect, with full conversion tracking etc. Some ad services try to optimize ads according to tracking data you send them, which obviously doesn't work if you don't run their tracking code.
A little bit off topic, but this thing looks suspiciously a lot like https://lunchmoney.app/ and as far as I can tell is totally unrelated. Even the Lunch Money logo is used under the pricing section... Is this just a coincidence / did Lunch Money also use some stock illustrations that’re used here? Or is just good old fashioned copying?
Lunch Money founder here! Thanks for flagging :) My guess is that it was definitely inspired by Lunch Money as the founders here have reached out to me before about liking my branding.
I did not use any stock illustrations for our logo– the idea was thought up by me and subsequently digitally illustrated by me also. I've had my logo/branding both partly and fully copied time and time again, and while seeing this is a bit annoying, I'd chalk it up to "heavy inspiration" over out-right copying. That being said, Leave Me Alone is doing great stuff in a different space and I am rooting for their success.
This is just feedback as a user and fellow maker - so you can calibrate your target audience (given that only people who care about being tracked are vocal on this):
I love your service because I can easily get rid of crappy newsletter but I don't care if a website is tracking me and I'd prefer if you'd spend more time on the product instead of this bike shedding.
I understand the marketing plan and getting traffic from HN and I respect that, but as a user, I'm slightly put off by this.
I hate crappy emails like I hate cookie banners. It's not because of privacy concerns, it's because it's a PITA.
In case leavemealone.app is reading these messages, I will leave this here. I failed to sign up. After clicking the sign up button, the button began pulsing but did nothing more. When I tried reporting the failure via chat, nothing happened when I clicked send. After clicking send, I noticed that my initial chat message had been truncated halfway. I don’t know if these two failures are related.
I am using Firefox Focus on an iPhone 7 running iOS 14.1.
The enterprise plan is a very custom plan - if you only need access to one or two features and/or only have a few million requests a month, the price can be pretty cheap (much less than the 5k/mo price advertised on the CF dashboard), but if you want mission-critical features like bot management[0], access to China datacenters[1], etc. it definitely can get into the 6-figure range - and they do have over 550 customers paying 6 figures or more [2].
But just getting one to remove the cookie is probably not worth it since it will end up costing more than a business plan (200/mo) regardless.
Cookies are not an issue for GDPR, it's all about respecting users' privacy. In fact you can freely store anonymous data to cookies, localStorage, and sessionStorage without issues. The problem comes when you are dealing with personally identifiable information such as permanent identifiers.
You definitely need a "cookie banner" when using Simple Analytics, Fathom, or Plausible. Any service that accesses the device information such as the URL needs a permission from the user according the ePrivacy directive.
We have consulted EU law specialists when building our upcoming analytics service that is as privacy-friendly as Simple Analytics, while still measuring important things like retention and conversions. More information:
Founder of Simple Analytics [1] here. There is a lot of information around cookie banners that is just not true. For example cookies are not limited to the technology of cookies, it contains any piece of information that you can use the track a user. An IP address, localStorage, sessionStorage, ... You are allowed to add a functional cookie with a dark mode setting for example without a cookie banner. You can't use an analytics cookie without a cookie banner.
What you are sharing is simply not true and I will clarify. A cookie banner is required when you store PII data. This is personal identifiable information. This includes, but is not limited to an IP address, a cookie with an user identifier, ... You are free to collect data that is not part of this without a cookie banner. You are also referring to a URL as being device information, this is not device information but basically a page view. You are allowed to collect page views and URLs that a linked to this page views with a cookie banner.
You are describing retention for your business. That's only possible with a cookie banner. It makes perfect sense because you need to calculate retention somehow. If you can calculate retention and conversions you are tracking a user. So you need a cookie banner.
Cookie banners are also a thing that are implemented on the web in many wrong ways. You should always have a way to disable cookies. Just a "accept all cookies" is legally invalid under the GDPR. The e-Privacy was already in place before the GDPR and the GDPR is somewhat a clarification of it.
Simple Analytics does not use cookies and does not require a cookie banner. We don't track your visitors and don't calculate retention or conversions. If your service does this, they a tracking your user and you might need a cookie banner.
Hey. Founder of Volument[1] here. We consulted EU law specialists on this particular matter. You are right: you definitely need a cookie banner when you store or process PII data. But GDPR is just an extension to ePrivacy, which says that you also need the cookie banner when any of the device information is accessed (such as the browser URL) for non-essential purposes.
The ePrivacy is just a _directive_ and doesn't oblige to anything. It's the local laws of Europe that do. We have compiled a detailed list of all the European countries and the respective laws that require an analytics service for opt-in or opt-out style banner. [2]
Retention is not possible without cookies or localStorage, but you can measure retention without storing or processing any PII information.
I would argue that atleast for Czech Republic, the notice is not required if the processed data is crucial to providing the service the user requested.
You cite Article 89(3) of the Electronic Communications Act, where it's stated that "... nor does it apply to
the cases where such technical storage or
access activities are needed for the provision of an information society service explicitly
requested by the subscriber or user.".
This part was also modified several times, most recently at 2018 in 20/2018 s. 687
How is that defined? For many businesses it is essential to know conversion rates and which users buy, especially if they invest in ads so they can calculate their ROI and know if their campaigns bring in profit or loss, which I think it's pretty "essential".
It means essential for the usage of the website, as in technically essential, like login or shopping cart.
The law doesn't say anything about it, though: this is just the interpretation and how courts have been treating it, so I wouldn't try to find loopholes around the word "essential" if you intent to follow it.
A court has ruled that tracking cookies used by ad networks, analytics and retargeting require consent [1].
Nothing stopping you from analysing your logged-user data, though (as long as you disclose it to your customers and comply with the rest of GDPR), so it's possible to have those kinds of measurements even without those stupid cookie banners.
I am confused. What do you mean by “browser URL”? Do you mean the URL of the page that the user accessed? How is that not essential? How is it specific to the user’s device?
Yes: the location information on the browser. You cannot access it for non-essential purposes without user consent. See
Article 5 / Statement 3 in the ePrivacy directive[1]
The browser sends the URL to the server to download the page so you can’t avoid receiving the URL before receiving consent from the user. You get to see the URL without accessing the user’s device.
Your citation does not mention URLs or clarify why they might be non-essential.
ePrivacy talks about "information stored in the terminal equipment", which includes any information you can get from the device. For example the user agent, location, and operating system. It's not about the information itself being essential or not, but what you do with it: is it for essential purposes (consent not needed) or non-essential purposes (consent needed).
Ah, this would make sense. They mean if I put data in the url and retrieve it from there. www.example.com/search?q=abcd would be fine in that interpretation.
The GDPR is not a clarification of the ePrivacy directive, on the contrary. The ePrivacy directive "particularises" certain aspects of the GDPR. National implementations of the ePrivacy directive (which, unlike the GDPR, needed to be put in laws within each EU country) that e.g. regulate certain aspects of electronic communication have priority over the GDPR as a "lex specialis". Wherever such provisions do not exist, the GDPR takes precedence as a "fallback legislation".
The EU is working on an ePrivacy regulation btw, which will indeed replace the ePrivacy directive, but it's not likely that it will be passed before 2021 or 2022.
That depends solely on what is an "analytics cookie". If it's a permanent identifier, then it's considered PII and requires a GDPR consent. Otherwise GDPR doesn't care. You can freely store foo=bar to a cookie.
We have a rather difficult onboarding process and users often message via the chat for help.
For the homepage I'd say visitors message rarely so it is less useful. That said, the ones that do are usually the same who convert as they are already fairly qualified leads and just want a little extra info before they sign up.
Back when I was doing web stuff for clients I got a lot of help through hostgator chat function and it was great. It all depends on how knowledgeable the person on the other side is. The medium is fine in and of itself.
One - the person on the other end works for a different company and they can answer a few common questions, but everything else is "call this 800 number." Cell phone companies do this.
Two - the person immediately says "give me your phone number and lets talk on the phone" (car dealers are terrible for this).
I guess there is a third type - companies using a laughably terrible bot. I encountered this with Sony after I bought a game online and it wouldn't start. I eventually called in and they instantly refunded my money because I think it was a common problem.
There is a fourth type. The MVNO I have my phone plan (and friends/family) with actually utilizes their live chat for support, and usually I get a very knowledgeable person in 30ish seconds. It's great. Red Pocket Mobile is the name.
How effective is retargeting? I’m understand that it varys from business to business, but from what I saw 5 years ago in consumer electronic, gaming and toys, it’s not really going to be a significate revenue source.
The retargeting most of us are see is the failed kind where you’re trying to sell a fridge to the person who already ordered one two days ago, and you’re the person who sold it, but your retargeting partner does actually support registering a purchases.
> The retargeting most of us are see is the failed kind where you’re trying to sell a fridge to the person who already ordered one two days ago
I’ve paid close attention over the past few years and have found >80% of the retargeted ads are for something I just purchased (and they are usually the “single purchase” type product, similar to the fridge analogy you used)
Even if a big share of your ad impressions falsely target someone who already bought (see sibling comment) the remaining impressions lead to an increase in conversions at a comparatively low cost per conversion.
As you said, this will vary from business to business, but I have seen very successful retargeting campaigns in b2c e-commerce as well as b2b lead generation.
Well, cookies are not per se evil and you can use them in a privacy-friendly way. You should ask for consent for non-functional cookies (for the Cloudflare cookie you probably wouldn't need to ask for consent, for example) and make sure your consent workflow is compliant with the GDPR. The European Data Protection Board just published guidelines on this btw (in May): https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_gui...
We e.g. offer an open-source consent management solution that is compliant with GDPR (as much as you can say that with confidence) and which you can self host: https://github.com/kiprotect/klaro
Building sites without cookies is possible but it's a bit extreme IMHO. Properly scoped and limited first-party cookies do not pose a large privacy risk to indivuals and can make certain legitimate use cases like analytics much easier (or even possible, in some cases).
This is an awesome idea, I really love the writing and products presented (TLDR; SimpleAnalytics, BunnyCDN, Intergram). Good luck with LMA, this is an awesome product
IMO, the "cookies banner" does not help to make internet safer, only worsening UI, add a few more banners and there is no content left. How many people who don't know how internet works hit "Disagree" if we still refuse to pay for e-services
Well... turns out, it's not that easy. I, too, removed the cookies from my website [1] and was thrilled to finally get rid of the cookie banner, but had to jump through some hoops:
- It's a WooCommerce store. WooCommerce stores one persistent cookie to keep track of your cart. I had to hack up a little snippet of PHP code to turn that into a session cookie. It's not quite documented behavior, but the hack feels robust enough that I can live with it. (Sessions cookies are allowed, as per GDPR.)
- YouTube embeds had to go, as even their youtube-nocookie domain sets cookies (thanks, YT). Vimeo has a "dnt" option that seems close to what I want, but it still sets some ID in localStorage, which the GDPR views as equivalent to cookies in this regard. So my current workaround is to just have the video thumbnail and link to the proper video on YT, but that sucks because now my visitors leave the website.
- Replaced Google Analytics with self-hosted Matomo, carefully configured to not set cookies (it's not trivial), which now regularly brings my cheap hosted server to the limit ;-)
So even a relatively simple website that does little fancy is not easy to get free of cookies.
Would you have a source? Reading through this page[0] I don't get the impression this is right. Session cookies are cookies nonetheless that can be used to identify users and if they are used that way, consent should be asked and given before usage.
The eDirective states that the browser and device information (like the URL) is private data and you need a permission to access it for non-essential purposes such as analytics. This is why Simple Analytics also needs a cookie banner, contrast to what their marketing says.
Plan to redeploy your production server to a new IP address too since the attacker will still be able to hit it directly.