2.0.0 • Public • Published


Send a request to a default route using an IP whitelist/blacklist

Build Status npm install js-standard-style


const filterRoute = deter(
  {whitelist: ['', '', '::1']}, // ipv6! wow!
const server = http.createServer(filterRoute(onGoodIp))
function onBadIp(req, res) {
  res.statusCode = 403
function onGoodIp(req, res) {
  res.statusCode = 200
  res.end(`you're in!`)


deter(options, [defaultRoute], [lookup]) -> function

  • options (object) an options object, with only one of the following keys; you can choose a whitelist or a blacklist, but not both:
    • whitelist (array) a list of CIDR strings that should be allowed through
    • blacklist (array) a list of CIDR strings that should be denied
  • onFail (function) a route to be processed if a request fails the whitelist/blacklist. It will be passed all parameters sent through the route when called on failure.
  • lookup (optional, function) a lookup function that gets the IP address from the request object; by default, this looks at any place the node http server might put an address (see the section on addresses for details). If you need to get an IP from a x-forwarded-for header, say, you can provide your own lookup function, with this form:
    • lookup(requestObject) -> ip (string)


  • If you provide an invalid IP or CIDR in the whitelist/blacklist, the constructor will throw; if this is a problem for you, be sure to try/catch
  • ipv6 is supported, including CIDR notation
  • deter expects to route on a message whose first parameter is either a http.IncomingMessage or a net.Socket, conforming to the node.js HTTP/HTTPS and socket servers. It does not care what any of the other parameters are, and will pass them through to your route/failure function.
  • Deter looks for addresses in the following places, which should cover all of the major node versions; you should be able to pass it your request or socket and have the right thing occur:
    • request.connection.remoteAddress
    • request.socket.remoteAddress
    • request.connection.socket.remoteAddress
    • socket.remoteAddress

If you need to look elsewhere for an address: don't fret, just provide your own lookup function:

const filterRoute = deter(
  {whitelist: ['', '']},
const server = http.createServer(filterRoute(onGoodIp))
function lookup(req) {
  if (req.headers && req.headers['x-forwarded-for']) {
    return req.headers['x-forwarded-for'].split(',')[0]


Apache 2.0, see LICENSE for details.

Package Sidebar


npm i deter

Weekly Downloads






Last publish


  • fardog