
This free module is designed for blocking/restricting access on a per site basis for Optimizely CMS 12+ solution hosted on Optimizely DXP with the following features

  • Whitelist single IP address per site basis
  • Whitelist a range of IP addresses via CIDR per site basis
  • Whitelist known paths (e.g. /episerver/health)

Microsoft:.NET Optimizely IPWhitelist: Nuget License: MIT

How to start

Install the add-on nuget package into your Optimizely Cms Web project, then make two lines of code change in your Startup file (see details in Configuration section). Finally, rebuild and re-run your site should be working as normal without noticing any change.

How to configure

Once the package has been installed and configured, you have a few options to turn on the IP restriction.


By default, all sites are accessible after installing the module, you will need to explicitly turn off access for each site via the configuration settings or Admin UI.

Option 1 - Block site access in appsettings.json


Appsetting.json config option will always take precedence than other options.

Name Default value Description
AllowByPassLocalRequest true Get or set the flag which decides whether local request should be allowed to access. true by default.
WhitelistSiteDefinitions Get or set a list of WhitelistSiteDefinition that are used to decide whether a specific site should allow to access.
AdminSafeIpList Get or set a list of Ips (e.g. Company's VPN IP, static IP) that allows to bypass the IpWhitelist module check.
IgnorePaths /episerver/health Get or set a list of paths that allows to ingore the check by IpWhitelist module. ["/episerver/health"] by default.

Example of configuration

"WhitelistSiteOptions": {
  "AllowByPassLocalRequest": false,
  "WhitelistSiteDefinitions": [
      "SiteId": "e68c3e92-c76c-44c0-9196-338d41611e1c",
      "AllowAccess": true
  "AdminSafeIpList": [""],
  "IgnorePaths": ["/episerver/health"]

Option 2 - Block site access in Admin UI

You can control a specific site access from General menu (see screenshot below)

Option 3 - Block site access programmatically

You can configure and overrides the value specified in appsettings programmatically by supplying WhitelistSiteOptions

services.AddIpWhitelist(options =>
    options.WhitelistSiteDefinitions = new List<WhitelistSiteDefinition>
        new() { SiteId = "e68c3e92-c76c-44c0-9196-338d41611e1c", AllowAccess = false }
    options.AllowByPassLocalRequest = true;

How it works

There are 5 default evaluators that implement IRequestEvaluator interface. All requests will be processed sequentially through each evaluator based on their priority level, starting from the highest to lowest priority.

When a request is coming, the middleware will pass it onto the DefaultRequestEvaluator engine which determines the request authorization through each of the evaluator. It will let the request come through as soon as the first evaluator returns true

Name Priority Description
LocalRequestEvaluator 2000 This evaluator is utilized to verify whether the current request coming from local request. It is primarily design to simplify the local development by skipping the restriction. It's the first evaluator gets executed by the engine. You can disable this by setting AllowByPassLocalRequest to false in appsettings.json
EnvironmentByPassEvaluator 1000 This evaluator is utilized to verify whether the current request aligns with the value specified in the appsettings.json - WhitelistSiteDefinitions and the Admin UI - General, thereby determining its authorization to access a specific site.
IgnorePathEvaluator 900 This evaluator is utilized to verify whether the current request's resource aligns with the value specified in the appsettings.json - IgnorePaths and the Admin UI - Ignore Path(s), thereby determining its authorization to access a specific site.
IpAddressEvaluator 200 This evaluator is utilized to verify whether the current request's IP address matches with the value specified in the appsettings.json - AdminSafeIpList and the Admin UI - IP(s), thereby determining its authorization to access a specific site.
CidrAddressEvaluator 100 This evaluator is utilized to verify whether the current request's IP address matches the value specified in the Admin UI - CIDR(s), thereby determining its authorization to access a specific site.



After installing the package IPWhitelist in your project, you need to ensure the following lines are added to the startup class of your solution:

public void ConfigureServices(IServiceCollection services)
   // .... other services

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    // Add IPWhitelist middleware before any other middleware
    // ... other middleware

The call to services.AddIpWhitelist() sets up the dependency injection required by the IPWhitelist to ensure the solution works as intended. This works by following the Services Extensions pattern defined by Microsoft.

Module access control

By default, only users in CmsAdmins, WebAdmins and Administrators role can access Admin UI. If you would like to use you custom policy, you can customize it with AuthorizationPolicyBuilder when registering the IPWhitelist.

services.AddIpWhitelist(builder =>


The module has extensive logging. Turn on information logging for the IPWhitelist namespace in your logging configuration.

  "Logging": {
    "LogLevel": {
      "Default": "Warning",
      "IPWhitelist":"Information" // Add this line


IPWhitelist is a free module. If you like this module and keen to support me, you can get me a coffee :)


I plan to add the following features in the future

  • Import / Export IP / CIDR / Ignore Path
  • Restrict path(s) by for IP / CIDR (e.g. /Util/login)
  • Auditing


  • This module is NOT designed to work with Optimizely CMS 11 or below.