Deny List
Manually block traffic by IP address, user agent, or browser fingerprint
What is the Deny List?
The Deny List lets you manually block specific traffic sources that you've identified as unwanted. Entries on the deny list are checked before other detection methods and take the highest priority in policy evaluation.
Use the deny list when you want to:
- Block known bad actors by IP address
- Block specific scrapers by user agent string
- Block repeat offenders by browser fingerprint
- Respond immediately without waiting for detection
How It Works
The deny list is evaluated at the top of the policy evaluation order:
1. Allow list (highest priority)
2. Deny list ← checked here
3. Path-based rules
4. Confidence threshold
5. Default actionWhen a request matches a deny list entry, it is immediately blocked (HTTP 403) without further detection processing. This makes deny list lookups fast and deterministic.
Managing the Deny List
Dashboard
Navigate to your project in the Checkpoint dashboard, then go to Settings → Deny List.
From the deny list page you can:
- Add entries — Block an IP, user agent, or fingerprint
- View existing entries — See all active blocks with metadata
- Remove entries — Unblock previously denied sources
- Search and filter — Find entries by type or value
Supported Block Types
| Type | Description | Example |
|---|---|---|
| IP Address | Block a single IPv4 or IPv6 address | 203.0.113.42 |
| CIDR Range | Block an IP range using CIDR notation | 203.0.113.0/24 |
| User Agent | Block by exact user agent string match | BadBot/1.0 |
| User Agent Pattern | Block by user agent substring match | *scraper* |
| Fingerprint | Block by browser fingerprint hash | a1b2c3d4e5f6... |
Blocking by IP Address
Single IP
Block a specific IP address:
- Go to Settings → Deny List
- Click Add Entry
- Select type: IP Address
- Enter the IP:
203.0.113.42 - Add an optional note (e.g., "Aggressive scraper detected 2026-01-15")
- Click Add
CIDR Range
Block an entire IP range:
- Select type: IP Address
- Enter the CIDR range:
203.0.113.0/24 - This blocks all 256 addresses in the range
Be careful with large CIDR ranges. Blocking /16 or larger ranges may inadvertently block
legitimate users sharing the same network.
Finding IPs to Block
Use the Monitor tab to identify suspicious IPs:
- Go to your project's Monitor tab
- Filter by detection class: AI Agent or Bot
- Sort by request count to find high-volume sources
- Click an entry to see the IP address
- Add the IP to your deny list
Blocking by User Agent
Exact Match
Block traffic with a specific user agent string:
- Select type: User Agent
- Enter the full user agent string
- Only requests with an exact match are blocked
Pattern Match
Block traffic matching a user agent pattern:
- Select type: User Agent Pattern
- Use
*as a wildcard:*scraper*matches any user agent containing "scraper"
Common patterns to consider:
| Pattern | Blocks |
|---|---|
*bot* | Any user agent containing "bot" |
*scraper* | Any user agent containing "scraper" |
*crawler* | Any user agent containing "crawler" |
python-requests* | Python requests library |
curl/* | cURL requests |
User agent blocking is a blunt instrument — user agents can be spoofed. For sophisticated detection, rely on Checkpoint's multi-signal detection instead. Use user agent blocking for known, easily identifiable sources.
Blocking by Fingerprint
Browser fingerprints are unique hashes derived from client-side signals (screen resolution, installed fonts, WebGL capabilities, etc.). Fingerprint blocking is effective against repeat offenders who rotate IP addresses.
Finding Fingerprints
- Go to the Monitor tab
- Click on a detection entry
- Copy the Fingerprint hash from the detail panel
- Add it to the deny list
Limitations
- Fingerprints require client-side detection (Pixel or Beacon)
- Fingerprints are not available for server-side-only detections
- Fingerprints can change when browsers update
Deny List vs Allow List
| Feature | Deny List | Allow List |
|---|---|---|
| Priority | Second highest | Highest |
| Action | Block (403) | Allow (bypass detection) |
| Use case | Block known bad actors | Permit known good actors |
| Evaluation | After allow list | Before deny list |
Both lists are configured per-project. The allow list is checked first — if a request matches the allow list, the deny list is skipped entirely.
Deny List vs Detection Policies
| Approach | Best For | How It Works |
|---|---|---|
| Deny List | Known bad actors | Exact match on IP/UA/fingerprint |
| Detection Policies | Unknown threats | Classification + confidence threshold |
Use the deny list for sources you've already identified. Use detection policies for automated classification of unknown traffic.
Best Practices
- Start with detection — Use Checkpoint's detection to identify threats before manually blocking
- Add notes — Always add a reason when creating deny list entries for future reference
- Review periodically — IP addresses and user agents change; review your deny list quarterly
- Use CIDR carefully — Prefer single IPs over ranges to minimize false positives
- Prefer detection — For sophisticated threats, multi-signal detection is more reliable than deny list entries
- Combine approaches — Use the deny list for known bad actors and detection policies for everything else
Next Steps
- Policies — Configure automated enforcement rules
- Detection — Understand multi-signal detection
- Dashboard Analytics — Identify traffic to block
- Managing Projects — Project settings overview