A new method to check whether a site behind a CDN is hosted in Iran using a 'boob check' has been developed
By
In countries with strict internet restrictions, it can be difficult to tell from the outside whether a website is even hosted in Iran. An Iranian engineer working abroad has developed a 'boob check' to determine whether a website using a CDN is hosted in Iran, and this has become a hot topic on the social news site Hacker News.
Let me introduce you to my most novel and oldest technique to verify if sites behind CDN are hosted in Inside Iran or not. Works most of the time. I call it the BOOBS CHECK.
— Hamid Kashfi (@hkashfi) November 30, 2025
curl -i https://domain/boobs.jpg
If your response is a 403 with 10.10.34.x IP in body, you're landing… pic.twitter.com/885nLkZC9u
“Boobs check” – Technique to verify if sites behind CDN are hosted in Iran | Hacker News
https://news.ycombinator.com/item?id=46100323
Hamid Kashfi posted on his X account, 'Here's my newest and oldest method to check if a site behind a CDN is hosted in Iran. It works in most cases. I call it the 'BOOBS CHECK.'' The specific steps are to run the following command using the domain name of the website you want to determine if it is hosted in Iran:
[code]
curl -i https://【website domain name】/boobs.jpg
[/code]
To determine this from the command execution results, if the results are as shown below, it means that you have reached the .ir domain, meaning that the website is hosted in Iran.
- The HTTP response status code is ' 403 Forbidden '
- The response body contains the IP address '10.10.34.x'
The command execution result is shown below. The status '403 Forbidden' is returned, and the body of the message contains '10.10.34.36,' confirming that the website is hosted in Iran.
[code]
HTTP/1.1 403 Forbidden
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 337
<html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1256'><title>NTL1</title>
</head><body><iframe src='http://10.10.34.36/?type=Invalid Keyword&policy=MainPolicy ' style='width: 100%; height: 100%' scrolling='no' marginwidth='0' marginheight='0' frameborder='0' vspace='0' hspace='0'></iframe></body></html>
[/code]
On the other hand, if the HTTP response status code is ' 404 Not Found ', it means that there is no website with that domain name.
In other words, by requesting a URL containing a non-existent file called 'boobs.jpg' and a restricted string, the following can be determined:
・Website is hosted: Access is restricted, resulting in '403 Forbidden'.
Website not hosted: 404 Not Found due to a non-existent domain name
Hamid's post received a variety of responses. Regarding the technical validity of the 'boob check,' one commenter suggested that this technique would only work if Flexible SSL was used, meaning the CDN uses HTTPS to connect to the client but plain HTTP to connect to the origin server. In short, this technique should not work if TLS is configured on the origin server.
However, it is possible that the need for internet censorship in Iran has led to restrictions on the use of plain HTML, and it is also known that connection monitoring, such as intercepting TLS handshakes, is carried out. As a result, it is possible that the conditions are ripe for the effective use of the 'boob check.'
The cutting-edge internet censorship model being implemented in Iran, such as TLS handshake interception, is discussed in detail in the following paper:
[2507.14183] Iran's Stealth Internet Blackout: A New Model of Censorship
https://arxiv.org/abs/2507.14183
Related Posts:
in Software, Posted by log1c_sh