# workers-discussions
- b
boywithkeyboard
03/14/2023, 8:26 AMi mean companies like google use the user's ip to detect malicious access any other ideas rather than collecting the country/region of the user? - h
HardAtWork
03/14/2023, 8:26 AMWhat do you mean? - b
boywithkeyboard
03/14/2023, 8:28 AMwhat part can't you follow? i mean that e.g. if a user from the us stole a german's user their refresh/access token, they get blocked - b
boywithkeyboard
03/14/2023, 8:28 AMlike as an extra layer of security - b
boywithkeyboard
03/14/2023, 8:29 AMdoes this make more sense to you? - h
HardAtWork
03/14/2023, 8:29 AMOh ok. Might be easier to tie it directly to the IP address then? - h
HardAtWork
03/14/2023, 8:29 AMRather than a specific country or region? - d
Dani Foldi
03/14/2023, 8:29 AMoh they use a lot of other tiny little traces of information, and it's never a pass/fail - h
HardAtWork
03/14/2023, 8:30 AMOh wait, IP switching - d
DarkDeviL
03/14/2023, 8:30 AMInitially here, you refer to: > geolocation security What kind of "security" are you looking for, in which directions and so forth? Geolocation alone, or as the only "security" would be crap for that. - b
boywithkeyboard
03/14/2023, 8:30 AMbut that will change often? - d
Dani Foldi
03/14/2023, 8:30 AMit's marked on a scale - if you've seen recaptcha 3, it can be hidden, tick a box, or pass a challenge - b
boywithkeyboard
03/14/2023, 8:30 AMif you don't have a static ip at least - s
stavros-k
03/14/2023, 8:30 AMI'm not. Is there any pointers/links on how I could achieve that? - d
DarkDeviL
03/14/2023, 8:31 AMAs for the token, IP switching as HardAtWork already mentioned, can be an issue from time to time. One thing you can do to combat that one, would be to limit it to a larger scope (e.g. "subnet") of addresses. - h
HardAtWork
03/14/2023, 8:31 AMOk then yeah, use the Region/Country. Should "generally" be accurate - b
boywithkeyboard
03/14/2023, 8:31 AMcan you open a thread in #1052656806058528849? - h
HardAtWork
03/14/2023, 8:32 AMIf you are really worried, you can always just set your invalidation period lower - b
boywithkeyboard
03/14/2023, 8:32 AMi mean ofc it can be faked etc but it's better than having it not - b
boywithkeyboard
03/14/2023, 8:32 AMit's just an additional layer, not the only one obv - h
HardAtWork
03/14/2023, 8:32 AMI mean, GeoIP can't really be faked, more subverted. I.e., a VPN would show the exit location - b
boywithkeyboard
03/14/2023, 8:33 AMi know but there's always a way to go around it - b
boywithkeyboard
03/14/2023, 8:33 AMdo you have more ideas for additional layers of security? - h
HardAtWork
03/14/2023, 8:34 AMUse Managed Challenges for suspicious behavior? - d
Dani Foldi
03/14/2023, 8:35 AMsure, here's a few - api call rate - regular waf stuff (user agent, other headers, http version) - endpoint call pattern - turnstile - b
boywithkeyboard
03/14/2023, 8:35 AMa link pls - b
boywithkeyboard
03/14/2023, 8:35 AMđź‘Ť - b
boywithkeyboard
03/14/2023, 8:36 AMi'd only use data from the user agent string though which won't change over a period of 365d (that's how long the access token is valid) - h
- a
alwagyu
03/14/2023, 11:09 AMhi I had some problem with workers and asked the questions here https://community.cloudflare.com/t/cf-workers-mtls-fetch-doesnt-work/482863 CF workers mtls fetch doesn’t work as expected. How can I debug this? Thanks in advance