IP Allowlist
Restrict switching to requests originating from specific IP addresses or ranges.
Navigate to SwitchGuard → Settings → Security → IP Allowlist.
Settings
| Setting | Default | Description |
|---|---|---|
| Enable IP Allowlist | No | Only allow switching from listed IPs |
| Allowed IPs | [] | Comma-separated IPs or CIDR ranges |
Behaviour When Enabled
- Switching attempts from IPs not on the allowlist are rejected with a permission error.
- The error is logged in the audit log as a
switch_blockedevent.
Accepted Formats
| Format | Example |
|---|---|
| Single IP | 203.0.113.10 |
| CIDR range (IPv4) | 203.0.113.0/24 |
| CIDR range (IPv6) | 2001:db8::/32 |
⚠️
If you enable the IP allowlist and then connect from an unlisted IP, you will be unable to switch users until you add your current IP. Keep a direct database connection (SFTP or phpMyAdmin) available as a fallback so you can update the switchguard_settings option if you lock yourself out.