Geoblocking feature

[EdgeOfAssembly]

Select Topic Area

Question

Body

Hi!

Could Github implement geoblocking feature? Either simple dialog with countries with checkboxes (around 192 or 193 checkboxes) or alternatively, just text input area where user can copy-paste IP-addresses in CIDR notation like here: https://github.com/ebrasha/cidr-ip-ranges-by-country/tree/master/CIDR (opens in a new tab)

I recommend CIDR. It will be very easy to implement and use with iptables rules

[CarboniArt]

Hello @EdgeOfAssembly,

That is an interesting proposal! Adding Geoblocking at the repository level could certainly add an extra layer of control for developers with specific compliance or security needs.

To make sure your idea reaches the right people at GitHub, I recommend the following:

Submit to the GitHub Feedback Repository: GitHub staff actively monitors the GitHub Feedback category. Reposting this there (or moving this discussion) increases the chances of it being seen by Product Managers.

Current Alternatives: While this native feature doesn't exist yet, for organizations that need strict IP control, GitHub currently offers IP Allow Lists (for Enterprise accounts). It's a 'whitelist' approach rather than a 'blacklist' (geoblock), but it's the standard for high-security environments.

Specify the Use Case: When you repost it, it might help to explain why you need it. Is it for licensing compliance, security against DDoS from specific regions, or something else?

Great suggestion regarding the CIDR notation, it definitely makes the implementation more flexible for advanced users!

[alex-gamero]

Worth noting that GitHub already has IP allow lists for Enterprise accounts, which lets you restrict access by CIDR ranges, so the underlying infrastructure for something like this exists. The gap is that it's whitelist-only and Enterprise-only, not a per-repo blocklist available to regular users.

For what you're describing specifically, the closest workaround right now would be handling it at the deployment layer rather than GitHub itself. If you're serving something from Pages or an API, you'd geoblock there instead. GitHub as a code host is a bit trickier since blocking access to the repo itself would also block contributors from those regions.

Still a reasonable feature request though, especially for compliance use cases. The feedback forum is probably the right place to push it.

[krillmango]

whitelist only is the reasonable feature. blacklists gamify attacks

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[Imensd00-hub]

hi , This is an interesting idea, but there are a few important points worth considering before GitHub would realistically implement something like this.

First, GitHub already has some geoblocking in place, but it's done at the organizational/legal level rather than as a user-facing feature. GitHub complies
with U.S. export control laws (OFAC sanctions), which means certain countries are already restricted at the platform level — not by individual repository
owners. This is handled legally and is not something users should configure themselves.

Second, offering per-repository geoblocking as a user feature raises significant concerns. Open source software is built on the principle of universal
access, and allowing repo owners to arbitrarily block users by country could create a fragmented, exclusionary ecosystem that goes against GitHub's
mission. It could also be misused for discrimination rather than legitimate security purposes.

Third, the CIDR/iptables suggestion, while technically straightforward on a traditional server, doesn't map well to GitHub's architecture. GitHub is a
massive distributed platform using CDNs, load balancers, and cloud infrastructure globally — IP-level blocking at the repository layer is far more complex
than it sounds, and CIDR lists by country are notoriously inaccurate and need constant updates.

If your actual goal is to restrict who can access your code, GitHub already offers better tools for this. You can make a repository private and only
invite specific collaborators, or if you're on an organization plan, you can use IP allow lists at the organization level (available on GitHub Enterprise)
to restrict access to known IP ranges.

If you're trying to protect against abuse from certain regions, that's better handled at the application/deployment level of whatever you're shipping, not
at the source code hosting level.

In short, this is unlikely to be implemented as described, and the existing alternatives likely cover the underlying need more effectively.

[AlexCojescu]

This won't work the way you're thinking, and GitHub won't build it. The request sounds simple on paper but it just block IPs from certain countries. GitHub's infrastructure doesn't work like a single Linux server where you can drop ip tables rules. Traffic hits a global CDN first, gets routed through load balancers, and by the time it reaches the application layer where your repository settings live, the original IP data is already abstracted away. You're left with just an HTTP header. Filtering at that point would add measurable latency to every git clone, push, and API call across millions of repositories.

Beyond that, maintaining thousands of custom CIDR blocks per repository and keeping them in sync with constantly changing IP allocations? That's a database and caching nightmare at GitHub's scale. ISPs and cloud providers shuffle IP space around daily. Your list would be stale within weeks. And honestly, IP blocking doesn't really work anyway. Anyone motivated enough just spins up a VPN or uses a proxy in an unblocked region. You're playing whack-a-mole forever.

They have IP Allow Lists for Enterprise accounts you specify which IPs are allowed, and everything else gets dropped. That's the inverse approach, and it's much more secure. For actual platform-level geoblocking (OFAC sanctions compliance), GitHub uses commercial real-time IP intelligence databases, not crowdsourced text files. And for real security, they rely on cryptographic identity SSH keys, access tokens, audit logs. Who's authenticating matters way more than where their packets claim to come from.

If you need to restrict access to your repository, those are the tools that actually work. IP-based filtering at the repository level just isn't a problem GitHub is going to solve.