Adding an IP Firewall to Fastify Without Cloudflare

Fastify's onRequest hook + a managed blocklist gives you a real IP firewall in one line. No CDN, no DNS changes.

Lhoussine
May 9, 2026·4 min read

Adding an IP Firewall to Fastify Without Cloudflare

Fastify's onRequest hook is the right place if you want application-level control. The SecureNow preload is the right place if you want a managed 500k-IP blocklist with zero maintenance.

Option 1: SecureNow preload (recommended)

npm install securenow
node -r securenow/firewall-only server.js

500k IPs blocked, hourly refresh, automatic crawler allowlisting. No Fastify code changes.

Option 2: Fastify hook

import Fastify from 'fastify';

const app = Fastify({ trustProxy: 1 });

const blocklist = new Set();
// ... populate from feed

app.addHook('onRequest', async (req, reply) => {
  const ip = req.headers['x-forwarded-for']?.toString().split(',')[0]?.trim() || req.ip;
  if (blocklist.has(ip)) {
    return reply.code(403).send('Forbidden');
  }
});

Workable for small static lists. For 500k entries refreshed hourly, the preload is the practical choice.

Custom blocklist + SecureNow

You can layer custom rules on top of the SecureNow base list. From the dashboard, CLI, or API:

npx securenow blocklist add 1.2.3.4 --reason "manual block — abuse report 2026-05-09"

Your custom rules sync to running SDK instances within ~10 seconds.

Verifying

npx securenow firewall status

Or test a specific IP:

npx securenow firewall test-ip 185.220.101.42

Related

Frequently Asked Questions

Does Fastify have a built-in IP firewall?

No — `@fastify/rate-limit` exists for rate limiting but not for reputation-based blocking. The SecureNow preload covers this without Fastify-specific code.

Can I combine the firewall with rate-limit?

Yes. The firewall preload runs below Fastify; rate-limit runs as a Fastify plugin. Different layers, no conflict.

What about Fastify v5?

Same setup. The preload sits at the HTTP server level — Fastify version doesn't matter.

Recommended reading

Adding Backend Tracing to a Sentry Stack with OpenTelemetry

If your team uses Sentry for frontend errors and needs backend distributed tracing without doubling the Sentry bill, here's the OpenTelemetry path that doesn't make you choose.

May 9
How to Block Bot Traffic in Express With No Extra Infra

Five approaches to bot blocking in Express, ranked by effort vs. effectiveness. From a 5-line allowlist to a full IP-reputation firewall — all without Cloudflare, AWS WAF, or any new infrastructure.

May 9
How to Block Bot Traffic in Fastify With No Extra Infra

Fastify hooks (onRequest) and the SecureNow preload both work cleanly. Here's the production setup for IP blocking and user-agent filtering.

May 9