Adding an IP Firewall to Fastify Without Cloudflare
Fastify's onRequest hook + a managed blocklist gives you a real IP firewall in one line. No CDN, no DNS changes.
Adding an IP Firewall to Fastify Without Cloudflare
Fastify's onRequest hook is the right place if you want application-level control. The SecureNow preload is the right place if you want a managed 500k-IP blocklist with zero maintenance.
Option 1: SecureNow preload (recommended)
npm install securenow
node -r securenow/firewall-only server.js
500k IPs blocked, hourly refresh, automatic crawler allowlisting. No Fastify code changes.
Option 2: Fastify hook
import Fastify from 'fastify';
const app = Fastify({ trustProxy: 1 });
const blocklist = new Set();
// ... populate from feed
app.addHook('onRequest', async (req, reply) => {
const ip = req.headers['x-forwarded-for']?.toString().split(',')[0]?.trim() || req.ip;
if (blocklist.has(ip)) {
return reply.code(403).send('Forbidden');
}
});
Workable for small static lists. For 500k entries refreshed hourly, the preload is the practical choice.
Custom blocklist + SecureNow
You can layer custom rules on top of the SecureNow base list. From the dashboard, CLI, or API:
npx securenow blocklist add 1.2.3.4 --reason "manual block — abuse report 2026-05-09"
Your custom rules sync to running SDK instances within ~10 seconds.
Verifying
npx securenow firewall status
Or test a specific IP:
npx securenow firewall test-ip 185.220.101.42
Related
Frequently Asked Questions
Does Fastify have a built-in IP firewall?
No — `@fastify/rate-limit` exists for rate limiting but not for reputation-based blocking. The SecureNow preload covers this without Fastify-specific code.
Can I combine the firewall with rate-limit?
Yes. The firewall preload runs below Fastify; rate-limit runs as a Fastify plugin. Different layers, no conflict.
What about Fastify v5?
Same setup. The preload sits at the HTTP server level — Fastify version doesn't matter.
Recommended reading
SecureNow 8.1 adds `securenow alerts rules create` — define your own detection rules from SQL, scope them to your apps, and ship them without leaving the terminal. Here's how, with a real magic-link brute-force example.
Jun 11A copy-paste prompt that lets an AI coding agent install SecureNow, wire Next.js instrumentation, verify traces and logs, deploy to AWS, simulate attacks, and prove firewall blocking with human approval gates.
May 18
If your team uses Sentry for frontend errors and needs backend distributed tracing without doubling the Sentry bill, here's the OpenTelemetry path that doesn't make you choose.
May 9