Country Restrictions

Limit form submissions to visitors from specific countries using geo-IP detection.

How it works

When country restrictions are enabled, FormBlade checks the visitor's country before accepting a submission. The country is determined from the visitor's IP address at the CDN edge — this resolution happens before the request reaches FormBlade's servers, so there is no added latency.

If the visitor's country is not in your allowed list, the submission is rejected immediately.

Business feature: Country restrictions are available on the Business plan.

What happens when blocked

Visitors from countries not on the allowed list receive a 403 Forbidden response:

HTTP 403 Forbidden

{
  "ok": false,
  "error": "Submissions from this country are not allowed"
}

Setup

Open your form in the dashboard.
Go to the Security tab.
Find the Allowed countries picker.
Search by country name and select the countries you want to allow.
Click Save.

The picker shows full country names alongside their ISO codes. An empty list means submissions are accepted from everywhere — no restrictions are applied.

Special country codes

Some IP addresses do not map to a standard country. These are identified by special codes that you can explicitly allow or leave blocked:

Code	Meaning	When to allow
`T1`	Tor exit nodes	Allow if you accept submissions from privacy-conscious users who browse via the Tor network.
`T2`	Satellite providers	Allow if your audience includes users on satellite internet (maritime, aviation, remote areas).
`XX`	Unknown / unresolvable	Allow if you want to accept submissions when the IP cannot be mapped to any country. Blocking this may reject some legitimate users on unusual networks.

Common configurations

Accept only from your own country

If your business operates in a single country and you only expect local submissions:

Allowed: US

This blocks all submissions from outside the United States.

Accept from the EU

For businesses serving EU customers, add all 27 member states. The picker lets you search by name, so you can quickly add each country:

Allowed: AT, BE, BG, HR, CY, CZ, DK, EE, FI, FR, DE, GR, HU,
         IE, IT, LV, LT, LU, MT, NL, PL, PT, RO, SK, SI, ES, SE

Block high-risk regions

Country restrictions use an allowlist model (only listed countries are permitted), not a blocklist. To block specific regions, add every country except the ones you want to block. If you mainly receive spam from a small set of countries, this approach may require adding many countries — consider whether captcha or email blocklist would be a better fit.

VPNs, proxies, and Tor

Country detection is based on the visitor's IP address, which has inherent limitations:

VPN users appear as the country where the VPN server is located. A visitor in Germany using a US-based VPN will appear as a US visitor.
Tor users are identified by the special code T1 (Tor exit node). Their actual country is unknown.
Corporate proxies may route traffic through a different country than the user's physical location.
Mobile networks occasionally route through gateways in neighboring countries.

These are fundamental limitations of IP-based geolocation, not specific to FormBlade. Country restrictions are best used as a broad filter to reduce unwanted traffic, not as a precise geographic boundary.

API submissions

Submissions made via the FormBlade API with an API key are not subject to country restrictions. API key authentication bypasses the country check, since server-to-server requests do not have a meaningful geographic origin.

This means you can restrict browser-based form submissions to specific countries while still accepting programmatic submissions from your own backend regardless of where your servers are located.