Skip to content
SOptim SOptim / Docs

Access Control

Access Control is where you configure SOptim's coarsest-grained protection: country blocks, IP allowlists, the block page, and admin bypass.

Country blocking (Geo)

Block visitors from specific countries before they reach checkout. Common use cases:

  • You don't ship to a country — block to save bandwidth and CAPTCHA spend.
  • High-fraud regions for your category.
  • Sanctions compliance.

Pick countries from the dropdown. Changes apply within ~30 seconds. We use Cloudflare's cf-ipcountry header (in front of your Shopify storefront via App Proxy), so geo accuracy is the same as Cloudflare's.

VPN + iCloud Private Relay aware. We detect Apple's iCloud Private Relay using Apple's published egress IP list (synced weekly). Relay-routed visitors are tagged so a geo block doesn't accidentally hit someone in your country who's just using Apple's privacy feature.

IP allowlist

Add your office IP, your team's home IPs, or anyone else who should never be scored or blocked. Allowlisted IPs skip all Bot Shield modules entirely.

Format: IPv4 (203.0.113.7), IPv6, or CIDR (203.0.113.0/24).

Block page

Visitors blocked by Bot Shield see /apps/soptim/blocked — a Shopify App Proxy page rendered from your shop's settings. Customize:

  • Title — h1 on the page
  • Message — supports basic markdown (bold, links, line breaks)
  • Contact email — shown so legit customers can reach you if blocked in error
  • Logo URL — must be https://. We do not render http:// or data: URLs.
  • Background / text color — must be valid hex (#1a2b3c)

All inputs are HTML-escaped at render. You cannot inject scripts even if you try.

Admin bypass

If you ever block yourself by accident (it happens), use Admin bypass:

  1. Go to Bot Shield → Access Control → Admin bypass.
  2. Click Generate bypass link. This creates a 24-hour HMAC-signed cookie.
  3. Open the link in the browser that's getting blocked.

The cookie is bound to your shop ID + IP family + a server-side secret, and it expires after 24 hours. Re-generate as needed.

Available on

All plans (Free, Grow, Scale, Max). Country blocking has no quantity cap.

Last updated: 2026-05-19
Send feedback