---
title: "The full map of side doors most porn blockers miss"
description: "VPNs, in-app browsers, translator tricks, PDF hosts, safe mode: the complete inventory of routes around a filter, and the layer that closes each one."
url: https://tkot.com/journal/side-doors-most-porn-blockers-miss/
canonical: https://tkot.com/journal/side-doors-most-porn-blockers-miss/
author: "Arya Stark"
published: 2026-06-07
updated: 2026-06-07
category: "Loopholes"
tags: ["side doors", "loopholes", "block porn", "layered defense", "bypass-proofing"]
lang: en
---

# The full map of side doors most porn blockers miss

> **TL;DR** Most blockers fail because they guard one layer while relapse routes exist on five: network doors (VPNs, encrypted DNS, cellular), browser doors (incognito, translators, fresh browsers), in-app doors (webviews, feeds, GIF search), file doors (PDF hosts, cloud drives, AirDrop), and machine doors (safe mode, guest accounts, the off switch). The fix is not a longer blocklist, it is matching a defense layer to each door type. TKO'T was built door by door this way, free, on Mac and iPhone.

Every relapse that gets past a blocker walks through a door the blocker never knew existed. If you have played this game, install a filter, feel safe for a week, then discover the one route it does not cover, you already know the pattern: it is whack-a-mole, and the mole is you at 1 a.m., the most motivated penetration tester your setup will ever face. The answer is not a longer blocklist. It is a map of every door type and a layer that guards each one, which is exactly the architecture [TKO'T](/#download) was built around: its on-device screen watcher catches what DNS filtering can never see, and the doors below explain why both layers have to exist.

One rule before the map: this page describes each door only enough to close it. The fix is the point.

## Why one more loophole always shows up

A conventional blocker is a list of addresses it refuses to load. That design has a structural blind spot: it can only stop content that arrives from a known address through a normal channel. Anything that changes the address (a mirror site, a brand-new domain), hides the address (a proxy, [DNS over HTTPS](https://datatracker.ietf.org/doc/html/rfc8484)), or never touches the address system at all (a file someone sent you, content inside an app) walks straight past it. The person trying to quit eventually discovers one of these by accident, and after that the urge knows the way. So the doors below are not exotic hacks. They are the ordinary gaps between layers, and each has a matching defense.

## Network doors

**VPNs and proxies.** A VPN wraps traffic so the filter cannot see where it is going; web proxies and mirror sites do the same job in a browser tab. Close it by blocking VPN and proxy categories at the device level, not just individual sites, and by using a blocker that still sees the screen after the network layer has been fooled; [the full VPN-and-proxy defense](/journal/block-porn-even-with-vpn-or-proxy/) walks through it.

**Encrypted DNS.** Modern browsers can ship their own [DNS over HTTPS](https://datatracker.ietf.org/doc/html/rfc8484), quietly routing lookups around your filtering DNS. Close it with a device profile that pins DNS settings; Apple documents how a managed [DNS payload](https://support.apple.com/guide/deployment/dns-settings-dep91d2eb26/web) locks the resolver so apps cannot pick their own.

**Cellular and tethering.** A Wi-Fi-only filter dies the moment Wi-Fi turns off. Close it with on-device blocking that rides every connection, which is also why router-only setups are a first layer, not a final one.

## Browser doors

**Private and incognito tabs.** On a properly restricted iPhone they disappear entirely, which is the correct outcome, [the Safari setup covers it](/journal/how-to-block-porn-in-safari-on-iphone/).

**The fresh browser.** A newly installed browser inherits none of the old browser's rules. Close it by locking app installs and filtering beneath the browser layer, at DNS and screen level, so a new app changes nothing.

**Translator and cache tricks.** Translation services and cached-page viewers re-serve a blocked page from an allowed domain. A domain list cannot win here, because the domain is legitimate. Only [a layer that evaluates what is actually rendered on screen](/journal/blockers-that-detect-explicit-content-on-screen/) closes this door for good.

**URL shorteners.** A shortened link hides its destination until it is already loading. Same answer: [judge the destination, not the address](/journal/block-url-shorteners-that-hide-the-real-link/).

**The fresh browser.** Block one browser and the next one downloads clean; [defend the install step and the layers below the browser](/journal/stop-a-fresh-browser-from-reopening-everything/) instead.

## Inside-app doors

**In-app browsers and webviews.** Half the apps on a phone embed a browser that ignores Safari's rules. System-level filtering catches the network half; the screen layer catches the rest.

**GIF and sticker keyboards.** The keyboard's own search [pulls suggestive media into any chat](/journal/remove-explicit-gif-and-sticker-search-from-keyboard/) with no site visited; disable the feature and let the screen layer back it up.

**Feeds, GIF search, and adult sections of otherwise normal platforms.** Social feeds, sticker keyboards, and the adult corners of streaming and gaming platforms deliver explicit material from domains you cannot block outright without breaking the whole service. This is the door category lists handle worst and content-aware blocking handles best: the page is fine until the content is not, and the decision has to happen at render time. [Filtering softcore triggers in-feed, without deleting the app](/journal/block-softcore-triggers-in-social-feeds/), covers this door in full.

## File doors

**Document and PDF hosts.** Explicit material gets repackaged into PDFs and slide decks on [ordinary document-hosting and cloud-drive domains](/journal/block-document-hosts-and-cloud-drives-hiding-porn/) that no sane blocklist can ban wholesale.

**Drawn content, text, and audio.** Explicit [comics and manga](/journal/block-explicit-comics-manga-and-drawn-content/), [erotic text](/journal/block-explicit-text-erotica-stories-fanfiction/), and [NSFW audio](/journal/block-nsfw-audio-and-asmr/) each slip past a filter tuned only for photo and video, and each needs its own layer.

**Saved media and peer-to-peer sharing.** Anything already downloaded, or AirDropped from another device, never touches a filter at all. Clearing stored media and disabling open AirDrop are part of the setup, not an afterthought.

## Search doors

**SafeSearch that quietly turns off.** Google's [SafeSearch](https://support.google.com/websearch/answer/510) filters explicit results, but it only helps while it is locked on. **Alternative search engines** that ignore SafeSearch conventions are the classic next move. Close both by enforcing SafeSearch at the device level and blocking the search engines that will not honor it, then treat image search as the side door it is, Apple's [content restrictions](https://support.apple.com/en-us/105121) cover the iPhone half.

## Machine doors

**Safe mode, guest accounts, and new user profiles.** A blocker that does not survive a reboot into safe mode, or does not exist for the guest account, is optional software. Close these with system-level installation and by [removing your own admin rights on the Mac](/journal/how-to-block-porn-on-a-mac/).

**The off switch itself.** The most-used door on this whole map is the legitimate one: the uninstall button at 1 a.m. [Why blockers keep getting turned off](/journal/why-your-porn-blocker-keeps-getting-turned-off-and-the-fix/) is its own subject, and the short version is that the undo has to be slower than the urge.

## Match the layer to the door

Read back through the map and a pattern appears: every door belongs to one of a few families, and each family has exactly one defense that works.

| Door family | What it defeats | The layer that closes it |
|---|---|---|
| Address tricks (VPN, proxy, new domains, shorteners) | Domain blocklists | VPN/proxy category blocking + content-aware screen layer |
| Render tricks (translators, caches, feeds, webviews) | All network filtering | On-screen detection at render time |
| Settings tricks (DNS swap, SafeSearch off, safe mode) | Honor-system configs | Locked device profiles + system-level install |
| The off switch | Everything else | Tamper resistance: an undo slower than the urge |

This is the architecture TKO'T productizes: a DNS layer for the address-shaped doors, an on-device screen watcher that reads what is actually rendered and closes the window in under 80 milliseconds for the doors DNS cannot see, locked SafeSearch and search-engine enforcement, and tamper resistance over the whole stack. Free, private, on Mac and iPhone, built one closed door at a time by someone who found each of these routes himself first.

Start with [the complete iPhone setup](/journal/how-to-block-porn-on-iphone-the-complete-setup/) and the Mac guide above, then come back to this map whenever a new route surprises you. It will belong to one of these families, and the family tells you the fix.

## Frequently asked questions

### How do I block premium fan subscription sites on my Mac completely?

Block the category at DNS level, then close the routes around it: VPNs, web proxies, and mirror domains that re-serve the same content. Because these platforms constantly spawn new addresses, a content-aware layer matters more than the blocklist; TKO'T's screen watcher closes the window on explicit content regardless of which domain served it, free, on Mac and iPhone.

### Is there an app that sounds an alarm when I try to access bad sites?

Alarm-style blockers exist, but an alert you can dismiss is a speed bump, not a wall. The stronger design reacts instead of warning: on-screen detection that closes the window the moment explicit content renders, faster than a second thought. Pair that with a friction layer for the off switch and the alarm becomes unnecessary.

### How do I block the adult sections of gaming and live-stream platforms without losing the whole site?

Domain blocking cannot split a platform in half, so this needs content-level filtering: enforced SafeSearch, the platform's own restricted mode where one exists, and a screen layer that evaluates what is actually rendered. That combination keeps the normal sections usable while the adult corners hit a closed window.

### What exactly is a side door in porn blocking?

A side door is any route that delivers explicit content without tripping the filter: a VPN, an in-app browser, a translated copy of a blocked page, a PDF on a document host, a guest account. Each one exists because a single-layer blocker can only guard one kind of route, which is why layered, on-device defense is the only approach that holds.

### Can I close every side door at once?

You can close every family of doors at once, which is better than chasing doors one by one. Lock the network layer (DNS, VPN categories), lock the settings (profiles, SafeSearch, admin rights), add a render-time screen layer for everything address-based filtering misses, and make the whole stack tamper-resistant. New tricks will appear; new families almost never do.

---

Source: https://tkot.com/journal/side-doors-most-porn-blockers-miss/
Author: Arya Stark
