Country restrictions help you reduce exposure from regions that should not access your application. Use them to enforce compliance requirements, lower the risk of suspicious sign-up and login activity from high-risk geographies, and control where users can sign up and authenticate from.
Prerequisites
Prerequisites
There are no prerequisites for configuring country restrictions.
You can choose from the following actions when a sign-up or login attempt from a restricted country is detected:
- Allow - Let the user continue when the resolved country matches the configured allow list.
- Block - Block the sign-up or login when the resolved country matches the configured block list.
Country restrictions do not support challenge or lock actions.
Country restrictions can mark blocked sign-up and login events for restriction email handling when the Notify end user by email option is enabled. This setting is stored on the country restriction policy and is included in country restriction events so downstream notification flows can decide whether to send an email.
When both environment-level and account-level policies are evaluated, the email flag is enabled if either policy has Send restriction email enabled.
- If no country restriction policy exists, sign-up and login attempts are allowed by this rule.
- If country restriction is disabled, sign-up and login attempts are allowed by this rule and no country restriction event is emitted.
- If the configured country list is empty, sign-up and login attempts are allowed by this rule.
- Country codes are normalized by trimming whitespace and converting valid two-letter codes to uppercase.
- If the country cannot be resolved from the provided country code or IP address, Frontegg applies the policy fail strategy. The default fail strategy is Allow.
- When both environment-level and account-level policies exist, both policies must allow the sign-up or login attempt. A block result from either policy blocks the sign-up or login.
If you want to see how often country restriction sign-up and login events occur in your app, view them over time in Security Events.
Country restriction events include the engine action, user ID when available, IP address when available, resolved country code when available, and whether restriction email handling was requested.
When country restriction is detected, a new log entry appears under the Security event type. Go to [ENVIRONMENT] → Monitoring → Logs to view these events, or see Logged events for the full event reference.
The security.country_restriction.detected log includes the engine action, user ID when available, IP address when available, resolved country code when available, and whether restriction email handling was requested.