Problem
Projects currently accept API requests from any IP address globally. For enterprise users, internal tools, or sensitive applications, this is a security risk — leaked API keys can be used from anywhere. There is no mechanism to restrict API access to specific IP ranges (e.g., office VPN, cloud VPC, home network).
Proposed Improvement
Add project-level IP access control that allows owners to configure allowlists and denylists for API key usage. The feature should:
- Support CIDR notation (e.g.,
192.168.1.0/24, 10.0.0.0/8) and individual IPs
- Evaluate IP restrictions on every API request before rate limiting and auth
- Default to "allow all" if no rules are configured (backward compatible)
- Support both allowlist mode (block everything except listed) and denylist mode (allow everything except listed)
- Return
403 Forbidden with X-Blocked-By-IP-Policy: true header when blocked
- Log all IP policy violations to the audit trail
- Show IP rules in dashboard with visual CIDR validator and conflict detection
Expected Impact
- Better security for enterprise and sensitive projects
- Reduced blast radius from leaked API keys
- Improved compliance with corporate network policies
- Better long-term scalability with enterprise-grade access control
Possible Implementation
- Add
IpAccessRule model in packages/common/models/ with fields: projectId, cidr, type ('allow' | 'deny'), mode ('allowlist' | 'denylist'), description
- Add
ipAccessControl middleware in apps/public-api/middleware/ evaluating req.ip against rules
- Add
POST /api/projects/{id}/ip-rules, GET, DELETE endpoints in dashboard-api
- Use
ip-range-check or netmask library for CIDR matching
- Add dashboard UI: IP rule table, CIDR validator with live preview, mode toggle
- Update
docker-compose.yml to include TRUSTED_PROXY_COUNT for accurate X-Forwarded-For parsing
- Write tests for CIDR matching, allowlist/denylist logic, header spoofing attempts, and bypass scenarios
I'm GSSoC'26 contributor, Please assign this task to me!
Problem
Projects currently accept API requests from any IP address globally. For enterprise users, internal tools, or sensitive applications, this is a security risk — leaked API keys can be used from anywhere. There is no mechanism to restrict API access to specific IP ranges (e.g., office VPN, cloud VPC, home network).
Proposed Improvement
Add project-level IP access control that allows owners to configure allowlists and denylists for API key usage. The feature should:
192.168.1.0/24,10.0.0.0/8) and individual IPs403 ForbiddenwithX-Blocked-By-IP-Policy: trueheader when blockedExpected Impact
Possible Implementation
IpAccessRulemodel inpackages/common/models/with fields:projectId,cidr,type('allow' | 'deny'),mode('allowlist' | 'denylist'),descriptionipAccessControlmiddleware inapps/public-api/middleware/evaluatingreq.ipagainst rulesPOST /api/projects/{id}/ip-rules,GET,DELETEendpoints in dashboard-apiip-range-checkornetmasklibrary for CIDR matchingdocker-compose.ymlto includeTRUSTED_PROXY_COUNTfor accurateX-Forwarded-ForparsingI'm GSSoC'26 contributor, Please assign this task to me!