Block by HTTP header
Use the VIP_Request_Block::header() method to block requests by HTTP headers.
When blocking requests by HTTP header:
$headeris case-insensitive, but$valueis case-sensitive.- Format the
$headerstring value as it appears when returned by a cURL request or in a browser’s inspector tool console (e.g. Chrome’s Developer Tools).
In this code example, the $header string value is X-My-Header. Because $header is case-insensitive, this value could also be formatted as x-my-header.
// Example VIP_Request_Block::header( string $header, string $value );
if ( class_exists( 'VIP_Request_Block' ) ) {
VIP_Request_Block::header( 'X-My-Header', 'my-header-value' );
}Block by an x-asn HTTP header
An x-asn header can be used to block requests by Autonomous System Number (ASN) of an IP address. The value of the x-asn header identifies the network provider of organization from which the request was sent. The ASN value for an IP address can be retrieved with a tool such as MXToolbox.
Note
An ASN will typically cover an entire cloud hosting service provider, internet service provider, or organization. Blocking requests by ASN can have broad and unintended effects of blocking more traffic than intended if not careful.
In this example, IP addresses belonging to the ASN 1234 will be blocked at origin:
// Example VIP_Request_Block::header( 'x-asn', $blocked_asn_number );
if ( class_exists( 'VIP_Request_Block' ) ) {
VIP_Request_Block::header( 'x-asn', '1234' );
}Block by geolocation HTTP headers
IP geolocation headers can be used to block incoming requests based on an end user’s global location. Requests blocked by geolocation header can be as broad as an entire continent (i.e. x-continent) or as specific as a postal code (i.e. x-postal-code).
For example, an x-country-code header can be used to identify which country a request is coming from (e.g. US for the United States, DE for Germany). This code examples demonstrates a method to block requests from a list of specific countries based on the value of the x-country-code header of a request:
if ( class_exists( 'VIP_Request_Block' ) ) {
$blocked_countries = [
'CN', // China
'RU', // Russia
'KP', // North Korea
'TR', // Turkey
];
foreach( $blocked_countries as $country ) {
VIP_Request_Block::header( 'x-country-code', $country );
}
}For a full list of country codes, refer to the IBAN list of country codes.
Block by x-ip-proxy-type HTTP header
The x-ip-proxy-type HTTP header uses the IP2Proxy™ database to classify the type of an anonymizing service (e.g. reverse proxy) or connection type behind the IP address of an incoming request.
Because the type of connection an IP address is associated with can change over time, this is a best attempt determination and may not be accurate 100% of the time.
x-ip-proxy-type response | Description |
|---|---|
VPN | Virtual Private Network. A Virtual Private Network (VPN) is a service that provides users with a publicly accessible server to conceal their IP address. |
TOR | Tor Exit Nodes. The Tor Project is an open network used by those who wish to maintain anonymity. |
DCH | Hosting Provider, Data Center or Content Delivery Network. Since hosting providers and data centers can serve to provide anonymity, the Anonymous IP database flags IP addresses associated with them. |
PUB | Public Proxies. These are services which make connection requests on a user’s behalf. Proxy server software can be configured by the administrator to listen on some specified port. These differ from VPNs in that the proxies usually have limited functions compare to VPNs. |
WEB | Web Proxies. These are web services which make web requests on a user’s behalf. These differ from VPNs or Public Proxies in that they are simple web-based proxies rather than operating at the IP address and other ports level. |
SES | Search Engine Robots. These are services which perform crawling or scraping to a website, such as, the search engine spider or bots engine. |
RES | Residential proxies. These services offer users proxy connections through residential ISP with or without consents of peers to share their idle resources. |
UNK | Traffic which does not match any of the above. It is usually residential home internet and mobile traffic. |
Block by x-ja3-hash HTTP header
The x-ja3-hash HTTP header is a more accurate method than User Agent strings and IP addresses for targeting traffic from specific clients (browsers and devices). The x-ja3-hash header value is an SSL/TLS fingerprint of the client that is making a request. The value can be retrieved from the tls_ja3_hash field in an environment’s HTTP request Shipping Logs.
This code examples demonstrates a method to block requests based on the x-ja3-hash header value:
<?php
/**
* Get the list of blocked JA3 hashes.
* Define the list of JA3 hashes you want to block.
*
* @return array List of blocked JA3 hashes.
*/
function my_get_blocked_ja3_hashes(): array {
return array(
'1234567890abcdefghijk',
'abcdefghijk1234567890',
// …add as many as needed.
);
}
/**
* Check incoming request for a JA3 hash and block if matched.
*
* @see get_blocked_ja3_hashes()
*/
function my_maybe_block_by_ja3_hash() {
if ( ! class_exists( 'VIP_Request_Block' ) ) {
return;
}
$request_ja3_hash = $_SERVER['HTTP_X_JA3_HASH'] ?? '';
if ( in_array( $request_ja3_hash, my_get_blocked_ja3_hashes(), true ) ) {
VIP_Request_Block::header( 'x-ja3-hash', $request_ja3_hash );
exit;
}
}
// Execute the JA3 hash check early in the bootstrap process.
my_maybe_block_by_ja3_hash();
// …normal bootstrap continues here…To learn more about JA3, refer to the JA3 Open Source project on GitHub as well as the associated Salesforce blog post about TLS Fingerprinting with JA3 and JA3S.
Last updated: September 16, 2025