> ## Documentation Index
> Fetch the complete documentation index at: https://docs.chainstack.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Access rules

> Configure IP allowlists, domain allowlists, and HTTP referrer rules to control who can access your Chainstack blockchain node endpoints securely.

<Info>
  Access rules are only available for [Global Nodes](/docs/global-elastic-node).
</Info>

Access rules provide an additional layer of security for your Chainstack node endpoints by restricting access based on HTTP `Origin` header values or IP addresses.

## What are access rules?

Access rules are security filters that control which sources can send requests to your node endpoints. They work by checking incoming requests against your configured rules before processing them. This helps protect your endpoints from unauthorized access and potential abuse.

There are two types of access rules you can configure:

* **Allowed origins** — Restrict access based on the HTTP `Origin` header, allowing only requests from specific domains or subdomains.
* **IP addresses** — Restrict access to specific IP addresses.

## How access rules work

When a request is made to your node endpoint, Chainstack checks it against your configured access rules:

* If you have access rules configured — The request is only processed if it matches at least one of your rules
* If no access rules are configured — All requests are processed (subject to your normal authentication)
* If a request doesn't match any rule — The request is rejected with an error response

## Adding access rules

You can add access rules from your node details page in the Chainstack console.

<Steps>
  <Step>
    Navigate to your [project](https://console.chainstack.com/projects).
  </Step>

  <Step>
    Click on your network.
  </Step>

  <Step>
    Click on your node name.
  </Step>

  <Step>
    Click **Security**.
  </Step>

  <Step>
    Click the **+ Add** button to create a new access rule.
  </Step>

  <Step>
    Hover over the created rule, click the edit pencil icon, and click **Activate**.
  </Step>
</Steps>

You can activate and deactivate the created access rules at any time.

### Adding an allowed origin rule

Allowed origin rules restrict access based on the HTTP `Origin` header sent by browsers and applications.

<Steps>
  <Step>
    In the **Add access rule** modal, select **Allowed origin**.
  </Step>

  <Step>
    Enter the origin URL in the input field (e.g., `myapp.com`, or `myapp.example.com`, or `*.myapp.com`).
  </Step>

  <Step>
    Click **Create** to save the rule.
  </Step>

  <Step>
    Hover over the created rule, click the edit pencil icon, and click **Activate**.
  </Step>
</Steps>

You can activate and deactivate the created access rules at any time.

**Supported origin formats:**

* **Specific domains**: `myapp.com`, `app.example.com`
* **Wildcards**: `*.example.com` (matches any subdomain of example.com)

<Info>
  Wildcard rules use the `*` character to match any subdomain. For example, `*.example.com` will match `app.example.com`, `api.example.com`, and `staging.example.com`.
</Info>

### Adding an IP address rule

IP address rules restrict access to specific IP addresses.

<Steps>
  <Step>
    In the **Add access rule** modal, select **IP address**.
  </Step>

  <Step>
    Enter the IP address in the input field.
  </Step>

  <Step>
    Click **Create** to save the rule.
  </Step>
</Steps>

**Supported IP formats:**

* **IPv4 addresses**: `192.168.1.100`
* **IPv6 addresses**: `2001:db8::1`

<Info>
  Adding multiple origins or IP addresses is not supported at once is not supported. Add them one by one per created rule.
  CIDR is not supported.
</Info>

## Managing access rules

Once you've added access rules, you can view and manage them from the Access rules section of your node page.

### Viewing existing rules

All your configured access rules are listed in the Access rules section on the **Security** tab.

### Removing access rules

To remove an access rule:

<Steps>
  <Step>
    Navigate to your node's Access rules section.
  </Step>

  <Step>
    Find the rule you want to remove.
  </Step>

  <Step>
    Click the delete button (**X**) next to the rule.
  </Step>

  <Step>
    Confirm the deletion.
  </Step>
</Steps>

## Use cases and examples

### Web application security

Restrict your production node to only accept requests from your application's domain:

```
Allowed origin: myapp.com
```

### API server restrictions

If you're running an API server that connects to your Chainstack node, restrict access to your server's IP:

```
203.0.113.50
```

### Server access control

Restrict access to a specific server IP address:

```
203.0.113.25
```

### Multi-environment setup

For applications with multiple environments, use wildcard rules:

```
*.mycompany.com
```

This allows requests from `app.mycompany.com`, `staging.mycompany.com`, `dev.mycompany.com`, etc.

### Browser CORS behavior

When using allowed origin rules with web applications, ensure your application correctly sets the `Origin` header. Modern browsers automatically include this header for cross-origin requests.

<Info>
  For additional security best practices, see [How to store your Web3 dApp secrets](/docs/how-to-store-your-web3-dapp-secrets-guide-to-environment-variables).
</Info>