shiprr.
Log in Create account

Access control

Restrict who can reach your app before traffic is proxied to your running app replicas. Shiprr supports IP allowlists, HTTP basic auth, or both together.

Where to configure it#

Open your app in the dashboard and go to App → Settings → Access control.

How it works#

Access control is enforced at the edge. Requests are filtered before they reach your app process, so blocked traffic does not hit your app replicas.

  • No allowlist and no basic auth — The app is public.
  • IP allowlist only — Only the listed IPs or CIDR ranges can reach the app.
  • Basic auth only — Every request must pass the browser HTTP basic auth prompt.
  • Allowlist and basic auth together — The request must come from an allowed IP and also pass basic auth.

IP allowlist#

Enter one IP or CIDR per line. Single IPs are accepted and normalized automatically when you save.

203.0.113.10
198.51.100.0/24
2001:db8::/48

Use this when you want to lock an internal tool to office IPs, a VPN, or a specific private network.

Basic auth#

Set a username and password to require a standard HTTP basic auth prompt. This is useful for preview apps, internal dashboards, or temporary access restriction without adding app-level auth logic.

If a username is set, basic auth is enabled. Leaving the username empty disables basic auth. When changing the password, leave it blank only if you want to keep the current password unchanged.

Basic auth here is a convenience edge layer, not a full replacement for application security. For production apps, Shiprr recommends that your app still enforce its own login/session model and apply its own rate limiting or abuse controls where appropriate.

After saving#

Saving access control updates edge routing for the app. If the app is already running, Shiprr saves the new policy immediately and then attempts to refresh the routing configuration so it takes effect without waiting for a manual redeploy.

Common uses#

  • Admin panel — Office or VPN IP allowlist.
  • Client review app — Basic auth with a shared password.
  • Internal tool — Allowlist and basic auth together for an extra access gate.

Notes#

  • If your IP changes often, an IP allowlist can lock you out until you update it.
  • Browsers may cache HTTP basic auth credentials for a while after login.
  • Access control is separate from authentication and authorization logic.
  • For the strongest security model, treat Shiprr basic auth as an outer gate and keep app-level auth and rate limiting enabled too.