The protection has to sit in the HTTP client library after resolving the hostname to IP address, before connecting.