Authorization

IP Restriction Policy

Custom Policy Example

Zuplo is extensible, so we don't have a built-in policy for IP Restriction, instead we've a template here that shows you how you can use your superpower (code) to achieve your goals. To learn more about custom policies see the documentation.

This custom policy allows you to specify a set of IP addresses that are allowed or blocked from making requests on your API. This can be useful for adding light-weight security to your API in non-critical scenarios. For example, if you want to ensure only employees on your corporate VPN can't access development environments.

Generally, this policy shouldn't be relied upon as the only security for protecting sensitive workloads.


modules/my-policy.ts
import { HttpProblems, ZuploContext, ZuploRequest } from "@zuplo/runtime";
import ipRangeCheck from "ip-range-check";

interface PolicyOptions {
  allowedIpAddresses?: string[];
  blockedIpAddresses?: string[];
}

export default async function (
  request: ZuploRequest,
  context: ZuploContext,
  options: PolicyOptions,
  policyName: string,
) {
  // TODO: Validate the policy options. Skipping in the example for brevity

  // Get the incoming IP address
  const ip = request.headers.get("true-client-ip");

  // If the allowed IP addresses are set, then the incoming IP
  // must be in that list
  if (options.allowedIpAddresses) {
    const allowed = ipRangeCheck(ip, options.allowedIpAddresses);
    if (!allowed) {
      return HttpProblems.unauthorized(request, context);
    }
  }

  // If the blocked IP addresses are set, then the incoming IP
  // can't be in that list
  if (options.blockedIpAddresses) {
    const blocked = ipRangeCheck(ip, options.allowedIpAddresses);
    if (blocked) {
      return HttpProblems.unauthorized(request, context);
    }
  }

  // If we made it this far, the IP address is allowed, continue
  return request;
}

Configuration

The example below shows how to configure a custom code policy in the 'policies.json' document that utilizes the above example policy code.


config/policies.json
{
  "name": "my-ip-restriction-inbound-policy",
  "policyType": "ip-restriction-inbound",
  "handler": {
    "export": "default",
    "module": "$import(./modules/YOUR_MODULE)",
    "options": {
      "allowedIpAddresses": ["184.42.1.4", "102.1.5.2/24"]
    }
  }
}

Policy Configuration

name <string> - The name of your policy instance. This is used as a reference in your routes.
policyType <string> - The identifier of the policy. This is used by the Zuplo UI. Value should be ip-restriction-inbound.
handler.export <string> - The name of the exported type. Value should be default.
handler.module <string> - The module containing the policy. Value should be $import(./modules/YOUR_MODULE).
handler.options <object> - The options for this policy. See Policy Options below.

Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

allowedIpAddresses <string[]> - The IP addresses or CIDR ranges to allow
blockedIpAddresses <string[]> - The IP addresses or CIDR ranges to allow

Using the Policy

Read more about how policies work

Edit this page

Last modified on May 29, 2026

Geo-location filtering Policy Rate Limiting Policy

IP Restriction Policy

Custom Policy Example

Generally, this policy shouldn't be relied upon as the only security for protecting sensitive workloads.

modules/my-policy.ts

import { HttpProblems, ZuploContext, ZuploRequest } from "@zuplo/runtime";
import ipRangeCheck from "ip-range-check";

interface PolicyOptions {
  allowedIpAddresses?: string[];
  blockedIpAddresses?: string[];
}

export default async function (
  request: ZuploRequest,
  context: ZuploContext,
  options: PolicyOptions,
  policyName: string,
) {
  // TODO: Validate the policy options. Skipping in the example for brevity

  // Get the incoming IP address
  const ip = request.headers.get("true-client-ip");

  // If the allowed IP addresses are set, then the incoming IP
  // must be in that list
  if (options.allowedIpAddresses) {
    const allowed = ipRangeCheck(ip, options.allowedIpAddresses);
    if (!allowed) {
      return HttpProblems.unauthorized(request, context);
    }
  }

  // If the blocked IP addresses are set, then the incoming IP
  // can't be in that list
  if (options.blockedIpAddresses) {
    const blocked = ipRangeCheck(ip, options.allowedIpAddresses);
    if (blocked) {
      return HttpProblems.unauthorized(request, context);
    }
  }

  // If we made it this far, the IP address is allowed, continue
  return request;
}

Configuration

The example below shows how to configure a custom code policy in the 'policies.json' document that utilizes the above example policy code.

config/policies.json

{
  "name": "my-ip-restriction-inbound-policy",
  "policyType": "ip-restriction-inbound",
  "handler": {
    "export": "default",
    "module": "$import(./modules/YOUR_MODULE)",
    "options": {
      "allowedIpAddresses": ["184.42.1.4", "102.1.5.2/24"]
    }
  }
}

Policy Configuration

name <string> - The name of your policy instance. This is used as a reference in your routes.

policyType <string> - The identifier of the policy. This is used by the Zuplo UI. Value should be ip-restriction-inbound.

handler.export <string> - The name of the exported type. Value should be default.

handler.module <string> - The module containing the policy. Value should be $import(./modules/YOUR_MODULE).

handler.options <object> - The options for this policy. See Policy Options below.

Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

allowedIpAddresses <string[]> - The IP addresses or CIDR ranges to allow

blockedIpAddresses <string[]> - The IP addresses or CIDR ranges to allow