Help4 Net is designed so public web traffic reaches your site through Help4 POPs first. That keeps CDN caching, WAF filtering, virtual patches, logging, and failover controls in front of the origin instead of leaving a direct path around them.
Some operational exceptions are legitimate: migration testing, emergency recovery, origin health checks, or protocols Help4 is not proxying yet. Those exceptions should be private, time bounded, logged, and removed when the need ends.
Use these with the bypass-prevention checklist during onboarding and security reviews.