If you run a business in a regulated industry, you can’t just welcome every visitor to your site with open arms. Governments and regulators have rules about who can and can’t access your platform, and ignoring them isn’t an option unless you enjoy hefty fines, legal trouble, or getting shut down entirely. These regulations can apply to all kinds of industries, ranging from online gambling and crypto, to content streaming and telemedicine.

In theory, blocking traffic from restricted countries should be simple: just use IP-based geo-blocking and call it a day, right? Not so fast. Your users probably aren’t lining up to self-report that they’re in a banned region. Instead, they use VPNs, proxies, and other tricks to mask their real location, making a basic IP block about as effective as a screen door on a submarine. And then there’s the added headache of ever-changing sanctions, compliance audits, and proving to regulators that you’re actually following the rules.

So, how do you stay compliant without playing an endless game of whack-a-mole? The key is layering multiple detection and blocking techniques. Let's explore why location enforcement matters and how combining smart techniques keeps both your business and regulators happy.

The global regulatory landscape

Location-based regulations on who can and can’t access your site or app vary widely across the world and differ by industry. If you’re in crypto or financial services, you’ll face strict sanctions from agencies like the U.S. Office of Foreign Assets Control (OFAC), which prohibit transactions with sanctioned countries like Iran, North Korea, or Syria.

Meanwhile, the [EU’s Anti-Money Laundering Directives](https://finance.ec.europa.eu/financial-crime/anti-money-laundering-and-countering-financing-terrorism-eu-level_en#:~:text=The European Union adopted robust,and cooperating with competent authorities.) require crypto and financial platforms to closely monitor user locations to prevent fraud and money laundering. And China’s outright ban on crypto trading has forced businesses worldwide to actively block Chinese traffic.

But it’s not just fintech dealing with these restrictions. Streaming services like Netflix and Spotify enforce geo-blocking to stay within region-specific content licenses. Online gambling operators have to navigate a maze of national and state regulations, carefully blocking access where gambling is illegal. Even adult sites aren’t exempt, often resorting to blanket geo-blocking to comply with age-verification laws and censorship mandates.

Ignoring these rules is a quick way to rack up regulatory penalties, hefty fines, relentless audits, revoked licenses, reputational damage, and in some cases, even criminal charges. With regulations constantly shifting, staying compliant requires regular technical reviews, frequent policy updates, and airtight documentation.

The fundamentals: Geo-IP blocking

To enforce regulations, businesses typically start with the basics: geo-IP blocking. While it’s not a complete solution, it serves as a strong first line of defense for enforcing location-based restrictions and maintaining compliance.

The idea is simple. Every internet-connected device has an IP address, which is generally linked to a geographic location. By configuring Web Application Firewall (WAF) rules, network firewall policies, or server-side access controls, businesses can restrict traffic from specific countries or regions.

Services like Cloudflare, AWS WAF, and Akamai let you apply these rules before unwanted visitors even reach your servers. Firewalls from Cisco ASA, Fortinet, or Palo Alto Networks can also drop geo-blocked traffic at the network level, cutting off access entirely. Web servers and frameworks like NGINX, Apache, and Express.js middleware can also get in on the action, querying IP databases to decide whether a request should be served or shut down.

The process is the same across the board: a user arrives, their IP is checked against a location database like MaxMind or IP2Location, and it’s determined if they’re connecting from a restricted region. You can block visitors in banned regions outright, perhaps limit access to certain features, or send a polite message about geolocation compliance.

Limitations of IP-based blocking

While geo-IP blocking is useful, it’s far from foolproof. Many users bypass it by routing their traffic through VPNs or proxies, making their true location annoyingly difficult to pinpoint. And if they’re a bit more determined, they’ll hop onto Tor or another anonymity service to completely obscure their origin. On top of that, geolocation databases aren’t perfect. They can misclassify IPs or place users halfway across the world from where they actually are.

Layering detection techniques

Relying only on geo-IP blocking can lead to false positives (blocking legitimate users) and false negatives (letting restricted users through). If strict compliance is a priority, you’ll need to step up your game by layering additional detection methods like VPN detection, network checks, and behavioral analytics.

VPN and proxy detection

Checking IP addresses against a reliable VPN or proxy database is a great way to catch location spoofers. If someone connects from a known proxy or a known anonymous data center IP, it’s a strong indicator they’re trying to appear somewhere they’re not.

Beyond static IP lists, several techniques can detect VPN and proxy usage in real time. Latency analysis measures response times to see if they align with the claimed IP location. If a user’s IP says New York but their connection speed suggests somewhere in Europe, something’s off. Time zone mismatches can also expose users. If an IP says Hong Kong but their system clock is set to London, they’re likely spoofing their location.

Additionally packet fingerprinting can analyze traffic patterns for signs of VPN protocols like OpenVPN or WireGuard, while TLS fingerprinting examines SSL handshake data that often reveals VPN server use.

Browser and device signal checks

Browser and device settings can provide valuable clues about a user’s true location, but they aren’t foolproof on their own. Websites can collect signals like time zone, system language, keyboard layout, and regional settings to spot inconsistencies against a user’s claimed location. If an IP address points to Brazil, but the browser’s time zone is set to Berlin and the system language is German, that can be an indicator of location spoofing.

Another useful approach is checking for WebRTC IP leaks which can expose a user’s real local and public IP addresses, even if they’re using a VPN. While browser and device signals aren’t conclusive on their own, they work well as supporting evidence when combined with other detection methods.

Carrier and mobile network verification

Carrier data like Mobile Country Codes and Mobile Network Codes (MCC/MNC) can be a strong indicator of a user’s real location — but only when they’re available. Unlike IPs, mobile networks are much harder to fake.

This data isn’t available to websites unless you want to ask each user for their phone number. But, if you are running a mobile app, you can use platform APIs to retrieve MCC/MNC data and send them to your server for validation. This is a strong signal of a user’s location, but it only works when using mobile data, not Wi-Fi.

DNS and network-level checks

DNS data can provide hints about a user’s true location, but it’s not a good standalone detection method. Websites don’t automatically see which DNS resolver a user is using, so practical approaches focus on controlled DNS lookups and identifying inconsistencies with other location signals.

One method is embedding a hidden resource that resolves through your own custom DNS subdomain. If a user claims to be in Germany but their DNS request routes through a U.S.-based resolver, it may indicate VPN or proxy use. However, many users rely on public DNS services like Google or Cloudflare, which don’t always reflect their actual physical location, so this should be used as a supporting signal rather than definitive proof.

Handling users traveling to restricted regions

Combining these techniques strengthens your geolocation enforcement by adding multiple layers of detection, making it much harder for users to spoof their location. But what happens when legitimate users trigger these restrictions simply because they’re traveling?

While regulations often require blocking access from restricted regions, locking out legitimate users can lead to frustration. If regulations allow, a verification process can help.

First, clear messaging is key. Instead of a generic error page. Let users know why they’re blocked and, if possible, how to regain access. If they’ve previously logged in from an approved region on the same device, that can be used as an additional trust signal. For lower-risk cases, consider limiting actions instead of a full block. Users could log in and view information but be restricted from making purchases or account changes.

If you do offer exemptions for travelers, it’s important to document these cases and ensure they align with regulatory requirements. This brings us to the next crucial piece of the puzzle.

Record-keeping and proving compliance

Even if you’ve done everything right — layered every location-detection trick in the book and successfully blocked visitors from banned regions — your job still isn’t done. Regulators won’t just take your word for it; they want receipts. Proper logging and documentation aren’t just helpful, they’re your best friends when compliance auditors come knocking.

That means keeping detailed logs of blocked requests, timestamps, IP addresses, device or browser signals and identifiers, as well as the detection methods used to flag users. Was it a geo-IP match with a banned region? VPN or proxy detection? Pairing this with real-time alerts for unusual spikes in suspicious traffic or location spoofing attempts also allows your team to respond quickly to emerging risks.

Regular reporting and thorough documentation are just as important. Maintain a well-documented compliance strategy to show the tools and techniques you’re using, how often you update your policies, and a high-level summary of blocked traffic and suspicious activity. This makes it easy to prove you’re playing by the rules, and a solid paper trail will save you a lot of headaches.

Adding Fingerprint to your compliance toolbox

When you’re aiming for airtight compliance, regulators expect more than just the bare minimum and may even reward you for going above and beyond. Incorporating advanced device intelligence as a part of your browser and device signal checks helps you detect anomalous devices, easily uncover location spoofing, and respond to audits with confidence.

Fingerprint’s device intelligence platform helps you spot anomalies quickly by analyzing over 100 browser and device signals. With Smart Signals like VPN Detection, Geolocation Spoofing Detection, and IP Geolocation, you won’t just catch users trying to fake their location; you’ll also be able to pinpoint where they actually are. In addition, signals like Browser Tampering Detection and Virtual Machine Detection give you useful details to gauge visitor intent.

For each visitor identification request, Fingerprint returns clear, audit-friendly JSON data to help you demonstrate compliance, satisfy regulators, and simplify audits. Plus, Fingerprint assigns each visitor a stable, unique visitor ID that persists even if they clear cookies, switch IPs, or use incognito mode. No more banned users trying to slip back in unnoticed after changing a few details. With Fingerprint in your arsenal, meeting and proving regulatory compliance becomes a whole lot easier.

Stay ahead of location-based regulations

Keeping up with shifting location-based regulations might seem like a never-ending headache. Thankfully, layering techniques like geo-IP blocking, VPN detection, network-level checks, and advanced device intelligence makes your compliance strategy tougher to beat. But remember, it’s not just about keeping banned regions out; it’s also about proving to regulators that you’re actually doing it.

Combining multiple detection methods and solutions like Fingerprint helps minimize your regulatory risks, streamline your audits, and may even earn you some brownie points with auditors. Not sure if your compliance strategy measures up? Reach out to our team, and we’ll make sure you’re staying comfortably ahead of regulators.