Security
Access rules
Access rules are only available for Global Nodes.
Origin header values or IP addresses.
What are access rules?
Access rules are security filters that control which sources can send requests to your node endpoints. They work by checking incoming requests against your configured rules before processing them. This helps protect your endpoints from unauthorized access and potential abuse. There are two types of access rules you can configure:- Allowed origins — Restrict access based on the HTTP
Originheader, allowing only requests from specific domains or subdomains. - IP addresses — Restrict access to specific IP addresses.
How access rules work
When a request is made to your node endpoint, Chainstack checks it against your configured access rules:- If you have access rules configured — The request is only processed if it matches at least one of your rules
- If no access rules are configured — All requests are processed (subject to your normal authentication)
- If a request doesn’t match any rule — The request is rejected with an error response
Adding access rules
You can add access rules from your node details page in the Chainstack console.1
Navigate to your project.
2
Click on your network.
3
Click on your node name.
4
Click Security.
5
Click the + Add button to create a new access rule.
6
Hover over the created rule, click the edit pencil icon, and click Activate.
Adding an allowed origin rule
Allowed origin rules restrict access based on the HTTPOrigin header sent by browsers and applications.
1
In the Add access rule modal, select Allowed origin.
2
Enter the origin URL in the input field (e.g.,
myapp.com, or myapp.example.com, or *.myapp.com).3
Click Create to save the rule.
4
Hover over the created rule, click the edit pencil icon, and click Activate.
- Specific domains:
myapp.com,app.example.com - Wildcards:
*.example.com(matches any subdomain of example.com)
Wildcard rules use the
* character to match any subdomain. For example, *.example.com will match app.example.com, api.example.com, and staging.example.com.Adding an IP address rule
IP address rules restrict access to specific IP addresses.1
In the Add access rule modal, select IP address.
2
Enter the IP address in the input field.
3
Click Create to save the rule.
- IPv4 addresses:
192.168.1.100 - IPv6 addresses:
2001:db8::1
Adding multiple origins or IP addresses is not supported at once is not supported. Add them one by one per created rule.
CIDR is not supported.
Managing access rules
Once you’ve added access rules, you can view and manage them from the Access rules section of your node page.Viewing existing rules
All your configured access rules are listed in the Access rules section on the Security tab.Removing access rules
To remove an access rule:1
Navigate to your node’s Access rules section.
2
Find the rule you want to remove.
3
Click the delete button (X) next to the rule.
4
Confirm the deletion.
Use cases and examples
Web application security
Restrict your production node to only accept requests from your application’s domain:API server restrictions
If you’re running an API server that connects to your Chainstack node, restrict access to your server’s IP:Server access control
Restrict access to a specific server IP address:Multi-environment setup
For applications with multiple environments, use wildcard rules:app.mycompany.com, staging.mycompany.com, dev.mycompany.com, etc.
Browser CORS behavior
When using allowed origin rules with web applications, ensure your application correctly sets theOrigin header. Modern browsers automatically include this header for cross-origin requests.
For additional security best practices, see How to store your Web3 dApp secrets.