403 Forbidden status code with an “Access denied” message, immediately terminating the request from matching IP ranges.
Overview
This is the simplest responder type - it sends a standard HTTP 403 response to any client from a blocked IP range. No additional configuration is required beyond specifying which IP ranges to block.Configuration
The Block responder requires no additional parameters beyond the standardranges configuration.
IP ranges to block. Can be CIDR notations (e.g.,
192.168.1.0/24) or predefined service keys (e.g., openai, aws, gcloud).Default: ["aws", "azurepubliccloud", "deepseek", "gcloud", "githubcopilot", "openai"]Optional list of specific IP addresses to exclude from blocking, even if they match the ranges.Note: Only supports individual IP addresses, not CIDR ranges.Default:
[]HTTP Response
When a client from a blocked range makes a request:403
Access denied
text/plain
Examples
Implementation Details
The Block responder is implemented inresponders/block.go:12:
Use Cases
- Block AI Scrapers: Prevent AI companies from scraping your content
- Geo-blocking: Block specific geographic regions (when combined with region-specific ranges)
- Known Bad Actors: Block IPs from known malicious sources
- Cloud Provider Restrictions: Prevent access from specific cloud providers
Comparison with Other Responders
- vs Custom: Block always returns 403, while Custom allows any status code and message
- vs Drop: Block sends a proper HTTP response, while Drop terminates the connection
- vs Tarpit: Block responds immediately, while Tarpit deliberately slows down the response
- vs Garbage: Block returns a clear error, while Garbage returns meaningless data
Related Documentation
- Custom Responder - For customizable status codes and messages
- Drop Responder - For silently dropping connections
- IP Ranges Configuration - Available predefined ranges