Access rules are only available for Global Nodes.
Access rules provide an additional layer of security for your Chainstack node endpoints by restricting access based on HTTP Origin
header values or IP addresses.
Access rules are security filters that control which sources can send requests to your node endpoints. They work by checking incoming requests against your configured rules before processing them. This helps protect your endpoints from unauthorized access and potential abuse.
There are two types of access rules you can configure:
Origin
header, allowing only requests from specific domains or subdomains.When a request is made to your node endpoint, Chainstack checks it against your configured access rules:
You can add access rules from your node details page in the Chainstack console.
Navigate to your project.
Click on your network.
Click on your node name.
Click Security.
Click the + Add button to create a new access rule.
Hover over the created rule, click the edit pencil icon, and click Activate.
You can activate and deactivate the created access rules at any time.
Allowed origin rules restrict access based on the HTTP Origin
header sent by browsers and applications.
In the Add access rule modal, select Allowed origin.
Enter the origin URL in the input field (e.g., myapp.com
, or myapp.example.com
, or *.myapp.com
).
Click Create to save the rule.
Hover over the created rule, click the edit pencil icon, and click Activate.
You can activate and deactivate the created access rules at any time.
Supported origin formats:
myapp.com
, app.example.com
*.example.com
(matches any subdomain of example.com)Wildcard rules use the *
character to match any subdomain. For example, *.example.com
will match app.example.com
, api.example.com
, and staging.example.com
.
IP address rules restrict access to specific IP addresses.
In the Add access rule modal, select IP address.
Enter the IP address in the input field.
Click Create to save the rule.
Supported IP formats:
192.168.1.100
2001:db8::1
Adding multiple origins or IP addresses is not supported at once is not supported. Add them one by one per created rule. CIDR is not supported.
Once you’ve added access rules, you can view and manage them from the Access rules section of your node page.
All your configured access rules are listed in the Access rules section on the Security tab.
To remove an access rule:
Navigate to your node’s Access rules section.
Find the rule you want to remove.
Click the delete button (X) next to the rule.
Confirm the deletion.
Restrict your production node to only accept requests from your application’s domain:
If you’re running an API server that connects to your Chainstack node, restrict access to your server’s IP:
Restrict access to a specific server IP address:
For applications with multiple environments, use wildcard rules:
This allows requests from app.mycompany.com
, staging.mycompany.com
, dev.mycompany.com
, etc.
When using allowed origin rules with web applications, ensure your application correctly sets the Origin
header. Modern browsers automatically include this header for cross-origin requests.
For additional security best practices, see How to store your Web3 dApp secrets.