Medium
automation_user_agent -25 User-Agent looks automated, headless, or scripted.
Lightweight Cloudflare Worker
IP Security Analyzer
A privacy-aware IP intelligence dashboard that evaluates the public network path, reputation signals, browser exposure, and connection consistency without treating datacenter usage as risk by itself.
216.73.216.248
IPv4
AS16509
US
HTTP/2
TLSv1.3
Network Identity
Anthropic, PBC
Hosting / Datacenter
ASNAS16509
CityColumbus
Cloudflare EdgeCMH
IPinfo Lite
StatusOff
ASNN/A
AS NameN/A
DomainN/A
CountryUS
AbuseIPDB
StatusOff
Abuse ScoreN/A
ReportsN/A
Distinct UsersN/A
TorN/A
Network Details
Usage TypeN/A
AbuseIPDB ISPN/A
DomainN/A
HostnamesNo hostnames
Last ReportedNever
Connection Fingerprint
ProtocolHTTP/2
TLSTLSv1.3
Ray IDa02f410b8b8dd96e
Bot ScoreN/A
Verified BotN/A
Server-side Findings
Low
browser_header_mismatch -10 User-Agent looks like a browser but common modern browser headers are missing.
Low
missing_accept_language -8 Browser-like request has no Accept-Language header.
Info
known_hosting_asn +0 ASN is in the built-in hosting/cloud/datacenter ASN list. Hosting ASN alone is not treated as risky.
WebRTC Leak Test
WebRTC test has not been run yet. Use the test button to collect browser ICE candidates and compare them with the HTTP IP.
Technical Methodology
Purpose of the analysis
The dashboard evaluates the public network identity that reaches the service. It does not try to guess hidden private information; it correlates observable signals such as ASN ownership, abuse reputation, request consistency, and optional browser-side WebRTC exposure.
Network identity layer
The first layer identifies the visible IP address, IP version, ASN, network organization, country, region, city, Cloudflare edge location, HTTP protocol, and TLS version. These fields describe the route and network presenting the request to the application.
ASN and organization classification
The classifier groups networks into categories such as hosting/datacenter, mobile carrier, corporate network, education network, residential-like ISP, or VPN/proxy-like naming. This classification is used as context. Hosting, CDN, cloud, and transit networks are not penalized unless stronger risk evidence exists.
Reputation correlation
Abuse reputation is evaluated through confidence score, report count, number of reporting users, Tor indication, last reported time, ISP, domain, usage type, and hostnames. Reputation score and report volume are weighted because they represent historical abuse evidence rather than simple network type.
IP enrichment context
ASN enrichment provides the AS number, AS name, AS domain, country, and continent. This improves attribution and makes the network identity easier to interpret. It is not treated as direct proof of VPN, proxy, or malicious behavior.
Request consistency checks
The Worker checks whether the request looks consistent with a normal browser session. It reviews User-Agent presence, known automation clients, Accept-Language, browser client hints, fetch metadata headers, TLS version, and optional Cloudflare Bot Management signals when available.
Risk scoring logic
The score starts at 100 and decreases only when meaningful risk indicators are present: Tor status, elevated abuse confidence, abuse reports, VPN/proxy/privacy keywords, suspicious automation headers, low bot score, or browser-side leak findings. Datacenter classification alone remains informational.
WebRTC exposure test
The browser test creates a temporary peer connection and collects ICE candidates. If a public candidate IP differs from the HTTP IP observed by the Worker, it is reported as a possible browser-side exposure or proxy bypass signal. Local, private, and mDNS candidates are shown separately.
Signal interpretation
The dashboard separates classification from risk. A clean datacenter IP with no abuse reports remains low risk, while a residential-looking IP can still become risky if it has abuse history, Tor status, automation indicators, or WebRTC mismatch evidence.
Known limitations
The service can only analyze signals visible to the website and browser. A properly configured VPN or proxy may hide the original ISP IP completely. DNS resolver leaks cannot be confirmed by a standard Worker without authoritative DNS logging for unique test domains.
Raw JSON
{
"status": "success",
"version": "9.0.0-professional-no-datacenter-penalty",
"generatedAt": "2026-05-28T18:17:04.566Z",
"ip": {
"address": "216.73.216.248",
"version": "IPv4"
},
"network": {
"asn": 16509,
"isp": "Anthropic, PBC",
"localClassification": {
"type": "Hosting / Datacenter",
"flags": {
"knownHostingAsn": true,
"hostingName": false,
"vpnProxyName": false,
"mobileName": false,
"residentialName": false,
"educationName": false,
"corporateName": false,
"abuseDatacenterUsage": false,
"abuseTor": false
},
"evidenceText": "Anthropic, PBC 16509"
}
},
"location": {
"country": "US",
"countryCode": "US",
"region": "Ohio",
"city": "Columbus",
"timezone": "America/New_York",
"latitude": "39.96118",
"longitude": "-82.99879",
"colo": "CMH",
"continent": "",
"continentCode": ""
},
"connection": {
"tlsVersion": "TLSv1.3",
"tlsCipher": "AEAD-AES256-GCM-SHA384",
"httpProtocol": "HTTP/2",
"rayId": "a02f410b8b8dd96e",
"userAgent": "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)",
"acceptLanguage": "",
"accept": "*/*",
"secChUa": "",
"secChUaMobile": "",
"secChUaPlatform": "",
"secFetchSite": "",
"secFetchMode": "",
"secFetchDest": "",
"ja3Hash": null,
"ja4": null,
"referer": ""
},
"cloudflareSignals": {
"botScore": null,
"verifiedBot": null,
"staticResource": null,
"corporateProxy": null
},
"externalIntel": {
"ipinfoLite": {
"enabled": false,
"ok": false,
"parsed": null,
"raw": null,
"error": "IPINFO_TOKEN not configured",
"attribution": "IP address data powered by IPinfo Lite"
},
"abuseipdb": {
"enabled": false,
"ok": false,
"parsed": null,
"raw": null,
"error": "ABUSEIPDB_KEY not configured"
}
},
"risk": {
"score": 57,
"verdict": "High Risk",
"tags": [
"Hosting/Datacenter"
],
"findings": [
{
"id": "automation_user_agent",
"severity": "medium",
"points": 25,
"message": "User-Agent looks automated, headless, or scripted.",
"evidence": {
"userAgent": "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)"
}
},
{
"id": "browser_header_mismatch",
"severity": "low",
"points": 10,
"message": "User-Agent looks like a browser but common modern browser headers are missing.",
"evidence": {}
},
{
"id": "missing_accept_language",
"severity": "low",
"points": 8,
"message": "Browser-like request has no Accept-Language header.",
"evidence": {}
},
{
"id": "known_hosting_asn",
"severity": "info",
"points": 0,
"message": "ASN is in the built-in hosting/cloud/datacenter ASN list. Hosting ASN alone is not treated as risky.",
"evidence": {
"asn": 16509
}
}
]
},
"limitations": {
"datacenterPolicy": "Datacenter/hosting classification is informational only. It does not reduce score by itself.",
"ipinfoLite": "IPinfo Lite does not provide direct is_vpn/is_proxy/is_tor/is_hosting fields. This Worker uses Lite ASN/name/domain enrichment plus heuristics.",
"abuseipdb": "AbuseIPDB is used for reputation, Tor flag, reports, and usageType. UsageType alone does not reduce score.",
"realIpBehindVpn": "No website can reliably know the real ISP IP behind a properly configured VPN unless the browser leaks it through WebRTC or another client-side channel.",
"dnsLeak": "A normal Cloudflare Worker cannot see the visitor DNS resolver. Real DNS leak detection needs authoritative DNS logging for unique test subdomains."
}
}