Simple IP Filter for ASP.NET Core.

This is as simple IP Filter for ASP.NET Core. Provides an IP Filter for paths exposed by the application using a list of valid (allowed) IP addresses for each path. It is possible to allow access to one or more IP addresses per path and apply the filter to a specific HTTP method (POST, GET,...). If access is not allowed, an HTTP Forbidden (403) status code is returned, but this value can be overridden (see example below).

Current version

Current version is 1.0.1

Release notes for current version

  • Changed default return HTTP status code to Forbidden (403)
  • Added override option to return HTTP status code

To do list

Some new features will be added to future releases.

Planned features

  • Deny access based on list of invalid (not allowed) IP addresses


Download the package from NuGet:

Install-Package JN.IpFilter -version [version number]

The package is available here and source code is available here.


Use the UseIpFilter extension method to add the middleware inside the Configure method on the Startup class. This should be done before others middlewares are added.

The UseIpFilter extension method needs a list of filters and an options object that can be read from configuration.


The following code shows an example of the Configure method.

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)

    // (...)

    var filters = Configuration.GetIpFilters("IpFilters");
    var options = Configuration.GetIpFilterOptions("IpFilterMiddlewareOptions");

    app.UseIpFilter(filters, options);



The filters and options can be read from configuration. The appsettings.json file could be something like the following.

The default HTTP status code is Forbidden (403). It can be overridden in the options object by specifiying a new code in ResponseHttpStatusCode field.

  "IpFilterMiddlewareOptions": {
    "ExactPathMatch": false,
    "LogRequests": true,
    "ApplyOnlyToHttpMethod": "",
    "ResponseHttpStatusCode": 401
  "IpFilters": [
      "Path": "/MyController",
      "IpList": ";::1"
      "Path": "/MyController2",
      "IpList": "*"
      "Path": "/MyController3",
      "IpList": ""

The available options are as follows:

  • ExactPathMatch - if false, then any filter whose path starts with the path being validated will be used to validate access. For example if path being validated is /MyController4 then filter with path /MyController can be used to validate the request IP. If true, this behaviour is not allowed.
  • LogRequests - log requests using the ILogger provided
  • ApplyOnlyToHttpMethod - apply filter to a specific Http method (POST, GET, ...)
  • ResponseHttpStatusCode - HTTP status code to return - optional; if not specified Forbidden (403) will be used.