How Blocking Works
This page explains how Kedra Shield protects your store at a technical level, why blocked visitors may still appear in your analytics, and what visitors see when they are blocked.
Storefront-Level Protection
Kedra Shield operates as a theme app embed — a script that runs directly in your storefront when a visitor loads a page. It evaluates each visitor against your configured rules (country, IP, VPN, bot, ASN, referrer) and blocks them if a rule matches.
Because the app runs at the storefront level (not at the server level), there are important implications for how sessions are recorded. See Why Blocked Visitors Still Appear in Analytics below.
The Blocking Flow
When a visitor arrives on your store, the following happens:
- Page begins loading — Shopify starts rendering the page and may record a session in Shopify Analytics.
- Kedra Shield scripts load — The app’s security scripts initialize.
- Visitor IP data is fetched — The app determines the visitor’s IP address, country, city, ISP, and whether they are using a VPN, proxy, or bot.
- Phase 1 blockers run — IP blocker, ASN blocker, and referrer blocker are evaluated first. If the visitor’s IP is whitelisted, all further blocking is skipped.
- Phase 2 blockers run — Country blocker, city blocker, content protection, and VPN/bot detection run next (unless the visitor was whitelisted in Phase 1).
- Decision is made — The visitor is either allowed through or blocked.
What Blocked Visitors See
When a visitor is blocked, Kedra Shield displays a full-screen overlay that covers the entire page. The visitor stays on the same URL but cannot see or interact with any store content.
The block page shows:
- A header message (e.g., “Access Restricted”)
- A subtitle with additional context
- An optional button that links to a URL you choose (e.g., a contact page)
You can fully customize the block page text, colors, fonts, and button from the Block Page section in your dashboard.
If you have configured a redirect URL on a specific blocker, the visitor will be redirected to that URL instead of seeing the block page.
Cart and Checkout Protection
Kedra Shield also intercepts cart and checkout requests (/cart/add, /cart/change, /cart/update, /checkout). These requests are held until the security check completes:
- If the visitor is allowed, the cart/checkout request proceeds normally.
- If the visitor is blocked, the request returns a 403 error and the cart/checkout action fails.
A 3-second timeout ensures that if the security check takes too long (e.g., due to a slow API response), the request is released and the visitor can proceed. This is called fail-open design — legitimate customers are never locked out, even during outages.
Fail-Open Design
Kedra Shield is designed to never block legitimate customers by mistake during errors or outages:
- If the IP detection API is unreachable, visitors are allowed through.
- If visitor data cannot be determined (e.g., country unknown), visitors are allowed through.
- If any blocker encounters an error, it allows the visitor through rather than blocking.
- If the security check takes longer than 3 seconds, cart/checkout requests are released.
This means the app prioritizes availability for your real customers over blocking every possible threat.
Why Blocked Visitors Still Appear in Analytics
This is the most common question from Kedra Shield users. Here is why it happens:
Shopify Analytics and Google Analytics record a session the moment a visitor accesses your URL. This happens before Kedra Shield’s scripts have a chance to load and evaluate the visitor. By the time the app blocks the visitor, the session has already been counted.
These are sometimes called “ghost sessions” — the visit is logged, but the visitor never actually browsed your store, viewed your products, or interacted with your content.
What this means in practice:
- You will still see sessions from blocked countries in Shopify Analytics and Google Analytics.
- This does not mean blocking has failed.
- The blocked visitors could not view your products, add to cart, or complete a checkout.
How to verify blocking is working:
- Check the Blocked IPs tab in your Kedra Shield Analytics page — blocked visitors appear here.
- Test by using a VPN to connect from a blocked country and visiting your store in an incognito window — you should see the block page.
Completely preventing these sessions from being recorded would require server-level or edge-level blocking, which is outside what any Shopify storefront app can do.
IP and Location Detection
Kedra Shield determines visitor information using the following services:
| Data | Source |
|---|---|
| IP address, VPN/proxy status, risk score, ISP, ASN | ProxyCheck.io (via Cloudflare Workers) |
| Country (fallback) | Cloudflare CF-IPCountry header |
| Country (secondary fallback) | Shopify browsing context |
| City | ProxyCheck.io response |
Traffic from major cloud providers — Google LLC, Amazon.com Inc., Amazon Data Services, Microsoft Corporation, Cloudflare Inc., and DigitalOcean — is allowed through by default to avoid blocking legitimate services.
IP data is cached for 5 minutes per session to avoid redundant lookups.
Whitelist Priority
If a visitor’s IP matches a whitelisted entry in the IP blocker, they are marked as whitelisted for the entire session. All Phase 2 blockers (country, city, VPN/bot) are skipped entirely. This prevents whitelisted visitors from being accidentally blocked by other rules.
Next Steps
- Location Blocker — Block or allow access by country and city.
- IP Blocker — Block or whitelist specific IP addresses.
- VPN & Proxy Blocker — Block visitors hiding behind VPNs and proxies.