Description
Supporting Geo Fencing of FusionAuth EndPoints (Admin UI, Hosted Pages, API, etc)
Problem
In order to reduce the threat landscape from malicious actors from certain countries and or for valid business/regulatory reasons where the customer does not operate in certain regions or geographies, it would be ideal if any of the FusionAuth endpoints is not made accessible in those geographies. Current solution or capabilities included only supports preventing login based on IP address or using IP ACL which is not as robust and/or is already too late in the request chain. The goal should be to prevent this infiltration in the first place itself where the customer should be able to choose which geographies are allowed or not allowed.
Solution
Keeping the Defense in Depth concept of Security in mind, it would be ideal where FusionAuth's underlying Infrastructure components that run at Edge can block the requests at the edge itself instead of relying on other defenses where the request has already trickled into the application layer.
Possible Solution could be using AWS WAF or CloudFront's Geo Fencing Solutions. Reference - https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-geo-match.html
Since each FusionAuth instance is expected to be privately deployed and dedicated to the enterprise customers, we would expect that having this additional layer of defense customizable for the customers would be an ideal enterprise feature for the customers.
Alternatives/workarounds
N/A
Additional context
N/A
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.