Access rules
Access rules are only available for Global Nodes.
Access rules provide an additional layer of security for your Chainstack node endpoints by restricting access based on HTTP Origin header values or IP addresses.
What are access rules?
Access rules are security filters that control which sources can send requests to your node endpoints. They work by checking incoming requests against your configured rules before processing them. This helps protect your endpoints from unauthorized access and potential abuse.
There are two types of access rules you can configure:
- Allowed origins — Restrict access based on the HTTP
Originheader, allowing only requests from specific domains or subdomains. - IP addresses — Restrict access to specific IP addresses.
How access rules work
When a request is made to your node endpoint, Chainstack checks it against your configured access rules:
- If you have access rules configured — The request is only processed if it matches at least one of your rules
- If no access rules are configured — All requests are processed (subject to your normal authentication)
- If a request doesn’t match any rule — The request is rejected with an error response
Adding access rules
You can add access rules from your node details page in the Chainstack console.
Navigate to your project.
Click on your network.
Click on your node name.
Click Security.
Click the + Add button to create a new access rule.
Hover over the created rule, click the edit pencil icon, and click Activate.
You can activate and deactivate the created access rules at any time.
Adding an allowed origin rule
Allowed origin rules restrict access based on the HTTP Origin header sent by browsers and applications.
In the Add access rule modal, select Allowed origin.
Enter the origin URL in the input field (e.g., myapp.com, or myapp.example.com, or *.myapp.com).
Click Create to save the rule.
Hover over the created rule, click the edit pencil icon, and click Activate.
You can activate and deactivate the created access rules at any time.
Supported origin formats:
- Specific domains:
myapp.com,app.example.com - Wildcards:
*.example.com(matches any subdomain of example.com)
Wildcard rules use the * character to match any subdomain. For example, *.example.com will match app.example.com, api.example.com, and staging.example.com.
Adding an IP address rule
IP address rules restrict access to specific IP addresses.
In the Add access rule modal, select IP address.
Enter the IP address in the input field.
Click Create to save the rule.
Supported IP formats:
- IPv4 addresses:
192.168.1.100 - IPv6 addresses:
2001:db8::1
Adding multiple origins or IP addresses is not supported at once is not supported. Add them one by one per created rule. CIDR is not supported.
Managing access rules
Once you’ve added access rules, you can view and manage them from the Access rules section of your node page.
Viewing existing rules
All your configured access rules are listed in the Access rules section on the Security tab.
Removing access rules
To remove an access rule:
Navigate to your node’s Access rules section.
Find the rule you want to remove.
Click the delete button (X) next to the rule.
Confirm the deletion.
Use cases and examples
Web application security
Restrict your production node to only accept requests from your application’s domain:
API server restrictions
If you’re running an API server that connects to your Chainstack node, restrict access to your server’s IP:
Server access control
Restrict access to a specific server IP address:
Multi-environment setup
For applications with multiple environments, use wildcard rules:
This allows requests from app.mycompany.com, staging.mycompany.com, dev.mycompany.com, etc.
Browser CORS behavior
When using allowed origin rules with web applications, ensure your application correctly sets the Origin header. Modern browsers automatically include this header for cross-origin requests.
For additional security best practices, see How to store your Web3 dApp secrets.