How to block a user based on ip address in React Js?

Last updated : May 14, 2023

Blocking a user based on their IP address on the client side is not a recommended or reliable approach. Nevertheless, if you still want to perform a client-side check in React for non-production purposes or some simple use cases, you could fetch the IP address using a public API and then conditionally render your components based on the IP. Here is an example:

import { useEffect, useState } from "react";

export const SignupForm = () => {
  const [ipAddress, setIPAddress] = useState('')
  const blockedIPs = ['123.456.78.90', '234.567.89.01']; // Add blocked IPs here

  useEffect(() => {
      .then(response => response.json())
      .then(data => setIPAddress(data.ip))
      .catch(error => console.log(error))
  }, [])

  if (blockedIPs.includes(ipAddress)) {
    return <h1>Access denied. Your IP address is blocked.</h1>
  return (
      <h1>Welcome, user!</h1>

In this component, we fetch the user's IP address and store it in a state variable. Then, when rendering the component, we check if the IP address is in our list of blocked IPs. If it is, we render a message stating that access is denied. If not, we render the regular content.

But remember, this approach is easy to bypass and is not a secure or reliable method of blocking access based on IP address. That is due to several reasons:

  1. JavaScript Limitations: JavaScript running in the browser can't block IP addresses. A user with knowledge of the browser's developer tools would easily bypass any checks.
  2. Security Risks: Making the blocked IP list accessible on the client side exposes it to anyone who inspects the code, posing a potential security risk.
  3. Ineffectiveness: A user could disable JavaScript or manipulate the client-side code to bypass the block even if you implement a client-side check.

For any serious application, you should handle this on the server side. Here's a general approach to how you might handle this:

  1. Identify the IP Address: When a request comes to your server, you can identify their IP address. In Node.js, for example, you might use request.connection.remoteAddress to determine the IP address of a request.
  2. Maintain a Block List: Maintain a list of blocked IP addresses. Depending on your requirements, that might be stored in a database, a file, or in memory.
  3. Block Requests: When a request is made to your server, check the IP address against your block list. If the IP address is on the block list, respond with error status (like 403 Forbidden).

Here's a simple example using Express.js, a Node.js web application framework:

const express = require('express');
const app = express();
const blockedIPs = ['123.456.78.90', '234.567.89.01']; // Add blocked IPs here

app.use((req, res, next) => {
  const userIP = req.connection.remoteAddress;

  if(blockedIPs.includes(userIP)) {
    res.status(403).send('Access denied. Your IP address is blocked.');
  } else {
app.listen(3000, () => console.log('Server started on port 3000'));

In this simple Express.js application, we check if the user's IP is in the blockedIPs array. If it is, we respond with a 403 status and an error message. If not, we call next() to pass control to the next handler.

L Raney
By: L Raney
Lance is a software engineer with over 15 years of experience in full-stack software development.

Comments are disabled

No Comments