Filter requests based on IP address
Overview
You can set the SuperTokens core's configuration such that it accepts / denies requests that originate from certain IPs. This ensures that only your backend can query the SuperTokens core - increasing the security.
Before you start
This page is only relevant if you are self hosting SuperTokens.
For managed service, please navigate to your dashboard and go to the edit configuration section to set this value.
Allow requests
docker run \
-p 3567:3567 \
-e IP_ALLOW_REGEX="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" \
-d registry.supertokens.io/supertokens/supertokens-<db_name>
The above only allows requests that originate from an IP that matches 127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1 regular expression. A breakdown of this regex is:
127\.\d+\.\d+\.\d+: IPs that start with127.; OR::1: IPv6 from localhost; OR0:0:0:0:0:0:0:1: IPv6 from localhost
In this way, only requests from localhost are allowed, and for other requests, the core returns a 403 status code. If instead you want to allow a list of IP addresses that correspond to your backend server's IP address, you can set this value to IP1|IP2|IP3... - for example: 100.12.12.3|192.167.4.3|50.32.5.1.
If this value is not set, then the core allows requests from any IP address.
Deny requests
This is the opposite of the above configuration. If you only set this, the core allows requests from any IP other than the one that matches the regular expression corresponding to this setting.
docker run \
-p 3567:3567 \
// highlight-next-line
-e IP_DENY_REGEX="100.1.1.3" \
-d registry.supertokens.io/supertokens/supertokens-<db_name>
The above setting makes the core accept requests from any IP other than 100.1.1.3. For 100.1.1.3, it returns a 403.
In this case, the core allows requests only based on the value of ip_allow_regex, as long that request's IP doesn't match the regex of ip_deny_regex. For example, if you set ip_allow_regex: IP1|IP2 and ip_deny_regex: IP1, then the core accepts requests only from IP2.