Geo Blocking at the Edge Layer

May 23, 2026 5 min read Security

Security at the edge means threats are stopped before they reach your infrastructure. By implementing security logic in FastEdge workers, you can validate, filter, and block requests at the closest edge location to the user — providing the fastest possible response for legitimate traffic while protecting your origin servers.

This post looks at Geo Blocking at the Edge Layer — one of several security patterns available in the FastEdge Rust SDK.

What It Does

Block traffic from specific countries or regions at the edge layer — before it reaches your infrastructure.

Processing security logic at the edge provides several benefits: reduced latency for end users (they don't need to round-trip to your origin just to get rejected), reduced load on origin servers (only validated requests reach them), and a smaller attack surface (malicious traffic is absorbed by the edge network).

Implementation

Here is how you implement this pattern using the FastEdge Rust SDK:

use fastedge::{
    body::Body,
    http::{Request, Response, StatusCode, Error},
};

#[fastedge::http]
pub fn main(req: Request<Body>) -> Result<Response<Body>, Error> {
    // Extract security-relevant headers
    let country = req.headers()
        .get("geoip-country-code")
        .and_then(|v| v.to_str().ok())
        .unwrap_or("unknown");

    let user_agent = req.headers()
        .get("user-agent")
        .and_then(|v| v.to_str().ok())
        .unwrap_or("unknown");

    // Block known bad actors at the edge
    if blocked_country(country) {
        return Response::builder()
            .status(StatusCode::FORBIDDEN)
            .header("content-type", "text/plain")
            .body(Body::from("Access denied"));
    }

    if is_malicious_agent(user_agent) {
        return Response::builder()
            .status(StatusCode::FORBIDDEN)
            .body(Body::from("Blocked"));
    }

    // Forward to origin
    Response::builder()
        .status(StatusCode::OK)
        .body(Body::from("Hello, verified user!"))
}

pub fn blocked_country(country: &str) -> bool {
    matches!(country, "XX" | "YY" | "ZZ")
}

pub fn is_malicious_agent(agent: &str) -> bool {
    agent.contains("curl") || agent.contains("python-requests")
}

Deploy

For the complete implementation with all features (rate limiting, IP allowlists, request transformation), clone the SDK repo and check the example:

git clone https://github.com/G-Core/FastEdge-sdk-rust.git
cd FastEdge-sdk-rust/examples/cdn/geo_block
cargo build --release
Important: Edge security complements — but does not replace — server-side validation. Always enforce critical authentication and authorization at the origin. Think of edge security as your first line of defense, not your only one.

Performance Impact

All security checks at the edge run in WebAssembly with sub-millisecond overhead. Header inspection, GeoIP lookups, and pattern matching add virtually no latency — typically 10-50µs per check. This means you can layer multiple security patterns without worrying about performance degradation.