1. Overview
  2. Configuration
  3. Filter rules

Filter rules

Filter rules let you block or challenge traffic based on IP address, country, or user agent. Use them to restrict access to specific paths or protect your entire site from unwanted visitors.

Creating Rules

Open your endpoint in the dashboard, switch to the Filter Rules tab, and click Add Rule. Each rule has these settings:

Path — The URL path to match. Use /* for all paths, or /admin/* to match a specific section.

Type — What to match against: IP address, country, or user agent.

Match type — Either "is" (matches) or "is not" (doesn't match).

Value — The IP address, country code(s), or user agent pattern to match.

Action — What to do when the rule matches: block or challenge.

Actions

Block immediately returns a 403 Forbidden response. Use this for known bad actors or regions you don't serve.

Challenge shows an interactive verification page. Legitimate browsers pass automatically within a few seconds. Bots and automated tools are blocked. Visitors who pass receive a 24-hour bypass cookie.

Examples

Block a specific IP

  • Path: /*

  • Type: IP

  • Match: is

  • Value: 192.0.2.1

  • Action: Block

Block traffic from specific countries

  • Path: /*

  • Type: Country

  • Match: is

  • Value: CN, RU

  • Action: Block

Protect admin area with challenge

  • Path: /admin/*

  • Type: Country

  • Match: is not

  • Value: SE, NL

  • Action: Challenge

Block a bot by user agent

  • Path: /*

  • Type: User Agent

  • Match: is

  • Value: *AhrefsBot*

  • Action: Block

Path Matching

Paths support wildcards. Use * to match any characters:

  • /admin/* matches /admin/, /admin/settings, /admin/users/1

  • /api/*/public matches /api/v1/public, /api/v2/public

  • /* matches all paths

Country Codes

Use two-letter ISO country codes (e.g., US, DE, SE, NL). You can select multiple countries for a single rule.

Evaluation Order

Rules are evaluated in order. The first matching rule determines the action. If no rules match, the request proceeds normally.

Built-in Protection

All endpoints include automatic protection against SQL injection, XSS, path traversal, and command injection attacks. This protection runs before your filter rules and cannot be disabled.