How to configure IP restrictions in Strapi Cloud

Last updated: January 13, 2026

Strapi Cloud allows you to implement IP restrictions using the IP middleware to control access to your application. This can help protect your API from unauthorized access and potential abuse.

Setting up IP restrictions

To configure IP blocking in your Strapi Cloud environment, you'll need to create environment-specific middleware files:

  1. Create a production-specific middleware file at ./config/env/production/middlewares.js (or middlewares.ts for TypeScript)

  2. Copy the contents from your existing ./config/middlewares.js file into this new production file

  3. Add your IP middleware configuration to restrict access as needed

The IP middleware is based on the koa-ip package, which provides comprehensive options for whitelisting and blacklisting specific IP addresses and IP ranges.

Important considerations for API usage limits

All requests count toward your API limits: Currently, every request made to your Strapi Cloud API endpoint counts toward your monthly usage limit, including blocked requests and those resulting in 401 unauthorized responses.

This means that:

  • Failed authentication attempts will consume your API quota

  • Blocked requests from IP filtering still count toward usage

  • Potential abuse scenarios or DDoS attacks could artificially inflate your API usage count

Why IP blocking is valuable

Despite blocked requests counting toward your usage limits, implementing IP restrictions provides important benefits:

  • First line of defense: Prevents unauthorized traffic from reaching your application logic

  • Security enhancement: Reduces exposure to potential attacks and abuse

  • Access control: Limits API access to specific IP addresses or ranges as needed

While the Engineering team is evaluating changes to how API calls are counted, no timeline has been provided for updates to this behavior. Therefore, IP blocking remains a valuable security measure to implement proactively.