DEV Community: Data Sentry The latest articles on DEV Community by Data Sentry (@data_sentry_8503cff63e04b). https://dev.to/data_sentry_8503cff63e04b https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3961234%2Ff28f2772-6c82-40b0-b0f7-e69ce10cc341.png DEV Community: Data Sentry https://dev.to/data_sentry_8503cff63e04b en How I Cut Chargebacks by 40% With 15 Lines of Code at Checkout Data Sentry Mon, 01 Jun 2026 05:38:20 +0000 https://dev.to/data_sentry_8503cff63e04b/how-i-cut-chargebacks-by-40-with-15-lines-of-code-at-checkout-4ab7 https://dev.to/data_sentry_8503cff63e04b/how-i-cut-chargebacks-by-40-with-15-lines-of-code-at-checkout-4ab7 <p>Chargebacks were killing my margins.<br> Not in a dramatic way. It was slow and invisible — a disputed charge here, a stolen card there. By the time I actually sat down and looked at the numbers, I was losing somewhere between $300 and $500 a month to fraud I had zero visibility into. My Stripe risk score was creeping up. At a certain threshold Stripe starts flagging your account as high-risk and at that point it doesn't matter how good your product is.</p> <p>The fix ended up being embarrassingly simple. One check, before checkout completes, that runs the buyer's IP and asks three questions:</p> <ul> <li>Is this a VPN or proxy?</li> <li>Is this a TOR exit node?</li> <li>Does the IP country match the billing country?</li> </ul> <p>If any of those come back suspicious, the transaction gets flagged for manual review instead of auto-completing. That's it. No ML model, no complex risk engine, no third party fraud suite charging you $200 a month.</p> <p>Here's exactly how I built it.</p> <h2> The Stack </h2> <ul> <li> <strong><a href="//vercel.com">Vercel Edge Functions</a></strong> — runs the check at the edge before checkout completes, adds about 12ms latency</li> <li> <strong><a href="//datasentry.site">DataSentry</a></strong> — IP intelligence API for geolocation, VPN/proxy/TOR detection</li> <li> <strong><a href="//supabase.com">Supabase</a></strong> — logs every flagged transaction for review</li> </ul> <h2> Step 1: The Edge Function </h2> <p>Create a new file at <code>/api/checkout-guard.ts</code> in your Next.js project:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">NextRequest</span><span class="p">,</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">runtime</span><span class="p">:</span> <span class="dl">'</span><span class="s1">edge</span><span class="dl">'</span><span class="p">,</span> <span class="p">}</span> <span class="kr">interface</span> <span class="nx">GeoResponse</span> <span class="p">{</span> <span class="nl">country_code</span><span class="p">:</span> <span class="kr">string</span> <span class="nx">is_vpn</span><span class="p">:</span> <span class="nx">boolean</span> <span class="nx">is_proxy</span><span class="p">:</span> <span class="nx">boolean</span> <span class="nx">is_tor</span><span class="p">:</span> <span class="nx">boolean</span> <span class="nx">threat_score</span><span class="p">:</span> <span class="kr">number</span> <span class="p">}</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handler</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">billingCountry</span><span class="p">,</span> <span class="nx">cartTotal</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">req</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="c1">// Get the real IP, works behind Vercel's proxy</span> <span class="kd">const</span> <span class="nx">ip</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">x-forwarded-for</span><span class="dl">'</span><span class="p">)?.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">,</span><span class="dl">'</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="o">??</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">x-real-ip</span><span class="dl">'</span><span class="p">)</span> <span class="o">??</span> <span class="dl">'</span><span class="s1">127.0.0.1</span><span class="dl">'</span> <span class="c1">// Skip check for local dev</span> <span class="k">if </span><span class="p">(</span><span class="nx">ip</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">127.0.0.1</span><span class="dl">'</span> <span class="o">||</span> <span class="nx">ip</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">::1</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">allow</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">geoRes</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span> <span class="s2">`https://api.datasentry.site/v1/geo?ip=</span><span class="p">${</span><span class="nx">ip</span><span class="p">}</span><span class="s2">&amp;api_key=</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DATASENTRY_API_KEY</span><span class="p">}</span><span class="s2">`</span> <span class="p">)</span> <span class="kd">const</span> <span class="nx">geo</span><span class="p">:</span> <span class="nx">GeoResponse</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">geoRes</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">flags</span> <span class="o">=</span> <span class="p">{</span> <span class="na">vpn</span><span class="p">:</span> <span class="nx">geo</span><span class="p">.</span><span class="nx">is_vpn</span><span class="p">,</span> <span class="na">proxy</span><span class="p">:</span> <span class="nx">geo</span><span class="p">.</span><span class="nx">is_proxy</span><span class="p">,</span> <span class="na">tor</span><span class="p">:</span> <span class="nx">geo</span><span class="p">.</span><span class="nx">is_tor</span><span class="p">,</span> <span class="na">countryMismatch</span><span class="p">:</span> <span class="nx">geo</span><span class="p">.</span><span class="nx">country_code</span> <span class="o">!==</span> <span class="nx">billingCountry</span><span class="p">,</span> <span class="na">highThreat</span><span class="p">:</span> <span class="nx">geo</span><span class="p">.</span><span class="nx">threat_score</span> <span class="o">&gt;</span> <span class="mi">70</span><span class="p">,</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">flagged</span> <span class="o">=</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">values</span><span class="p">(</span><span class="nx">flags</span><span class="p">).</span><span class="nf">some</span><span class="p">(</span><span class="nb">Boolean</span><span class="p">)</span> <span class="c1">// Log flagged transactions to Supabase for manual review</span> <span class="k">if </span><span class="p">(</span><span class="nx">flagged</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SUPABASE_URL</span><span class="p">}</span><span class="s2">/rest/v1/flagged_transactions`</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">apikey</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SUPABASE_SERVICE_KEY</span><span class="o">!</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="nx">ip</span><span class="p">,</span> <span class="nx">flags</span><span class="p">,</span> <span class="na">billing_country</span><span class="p">:</span> <span class="nx">billingCountry</span><span class="p">,</span> <span class="na">ip_country</span><span class="p">:</span> <span class="nx">geo</span><span class="p">.</span><span class="nx">country_code</span><span class="p">,</span> <span class="na">cart_total</span><span class="p">:</span> <span class="nx">cartTotal</span><span class="p">,</span> <span class="na">threat_score</span><span class="p">:</span> <span class="nx">geo</span><span class="p">.</span><span class="nx">threat_score</span><span class="p">,</span> <span class="na">created_at</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="p">}),</span> <span class="p">})</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">allow</span><span class="p">:</span> <span class="o">!</span><span class="nx">flagged</span><span class="p">,</span> <span class="na">flags</span><span class="p">:</span> <span class="nx">flagged</span> <span class="p">?</span> <span class="nx">flags</span> <span class="p">:</span> <span class="kc">null</span><span class="p">,</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h2> Step 2: The Supabase Table </h2> <p>Run this in your Supabase SQL editor:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">create</span> <span class="k">table</span> <span class="n">flagged_transactions</span> <span class="p">(</span> <span class="n">id</span> <span class="n">uuid</span> <span class="k">default</span> <span class="n">gen_random_uuid</span><span class="p">()</span> <span class="k">primary</span> <span class="k">key</span><span class="p">,</span> <span class="n">ip</span> <span class="nb">text</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span> <span class="n">flags</span> <span class="n">jsonb</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span> <span class="n">billing_country</span> <span class="nb">text</span><span class="p">,</span> <span class="n">ip_country</span> <span class="nb">text</span><span class="p">,</span> <span class="n">cart_total</span> <span class="nb">numeric</span><span class="p">,</span> <span class="n">threat_score</span> <span class="nb">integer</span><span class="p">,</span> <span class="n">reviewed</span> <span class="nb">boolean</span> <span class="k">default</span> <span class="k">false</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">timestamptz</span> <span class="k">default</span> <span class="n">now</span><span class="p">()</span> <span class="p">);</span> <span class="c1">-- Index for fast lookups on review dashboard</span> <span class="k">create</span> <span class="k">index</span> <span class="k">on</span> <span class="n">flagged_transactions</span> <span class="p">(</span><span class="n">reviewed</span><span class="p">,</span> <span class="n">created_at</span> <span class="k">desc</span><span class="p">);</span> </code></pre> </div> <h2> Step 3: Call It From Your Checkout </h2> <p>Before you call Stripe's <code>confirmPayment</code>, hit the guard first:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">handleCheckout</span><span class="p">(</span><span class="nx">billingCountry</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">cartTotal</span><span class="p">:</span> <span class="kr">number</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">guard</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/checkout-guard</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="nx">billingCountry</span><span class="p">,</span> <span class="nx">cartTotal</span> <span class="p">}),</span> <span class="p">})</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">allow</span><span class="p">,</span> <span class="nx">flags</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">guard</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">allow</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Don't hard block — show a verification step instead</span> <span class="c1">// Hard blocking legitimate users who use VPNs for privacy costs you sales</span> <span class="nf">setCheckoutState</span><span class="p">(</span><span class="dl">'</span><span class="s1">requires_verification</span><span class="dl">'</span><span class="p">)</span> <span class="nf">setFraudFlags</span><span class="p">(</span><span class="nx">flags</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="c1">// Proceed to Stripe</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">stripe</span><span class="p">.</span><span class="nf">confirmPayment</span><span class="p">({</span> <span class="p">...</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p><strong>Important:</strong> Don't hard block flagged transactions. A lot of legitimate users browse with VPNs for privacy reasons. Flag them for manual review or add a verification step like requiring a phone number. Hard blocking costs you real sales.</p> </blockquote> <h2> Step 4: The Review Dashboard (Optional but Worth It) </h2> <p>A simple Supabase query to pull your review queue:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="nx">flagged</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">flagged_transactions</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">reviewed</span><span class="dl">'</span><span class="p">,</span> <span class="kc">false</span><span class="p">)</span> <span class="p">.</span><span class="nf">order</span><span class="p">(</span><span class="dl">'</span><span class="s1">created_at</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">ascending</span><span class="p">:</span> <span class="kc">false</span> <span class="p">})</span> </code></pre> </div> <p>Render it however you want. Even a basic table where you can mark transactions as approved or rejected is enough. You'll spend maybe 5 minutes a day on it and it saves you hundreds in chargebacks.</p> <h2> The Results </h2> <p>After running this for 90 days:</p> <ul> <li>Chargebacks dropped ~40%</li> <li>Stripe risk score recovered to normal</li> <li>Zero legitimate customers were hard blocked because of the verification step instead of hard block approach</li> <li>Total latency added to checkout: ~12ms at the edge</li> </ul> <p>The whole thing is about 15 lines of actual logic. The rest is just types and Supabase boilerplate.</p> <h2> What This Doesn't Solve </h2> <p>IP geolocation is one signal, not a complete fraud solution. It won't catch:</p> <ul> <li>Stolen cards used from a legitimate residential IP in the correct country</li> <li>Friendly fraud (buyer disputes a legitimate charge)</li> <li>Account takeovers where the attacker is in the same country</li> </ul> <p>For those you need additional signals — device fingerprinting, velocity checks, purchase history. But for stopping the most obvious fraud patterns, an IP check at checkout is the highest ROI thing you can add in an afternoon.</p> <p>If you're doing any real transaction volume and not running something like this you're probably leaking more than you think. The check costs fractions of a cent per transaction. The chargeback it prevents costs you $15+ in fees plus the lost revenue plus the Stripe risk score damage.</p> <p>Happy to answer questions in the comments if anything is unclear.</p> security webdev javascript typescript