DEV Community: Husnain Babar

Real-Time VPN & Proxy Detection: Why Static IP Databases Are Failing You

Husnain Babar — Fri, 19 Jun 2026 05:11:38 +0000

If your app uses IP geolocation for fraud detection, content localization, or compliance, you're probably working with stale data. And stale data is worse than no data because it gives you false confidence.

Most IP intelligence solutions are static databases updated weekly or monthly. But the threat landscape changes hourly. New VPN exit nodes, proxy servers, and compromised hosts appear and disappear constantly. A database that was accurate last Tuesday is already wrong today.

GeoIPHub solves this with real-time IP intelligence that actively probes and classifies IP addresses on-demand.

The Database Problem

Traditional IP databases (MaxMind GeoIP2, DB-IP, etc.) give you a snapshot. That snapshot tells you what an IP's location was when the database was last updated, whether an IP was classified as a proxy at some point in the past, and a static category tag that doesn't reflect current behavior.

What it doesn't tell you:

Whether that VPN exit node is still active right now
Whether a residential IP has been compromised and is now part of a botnet
Whether a datacenter IP has been freshly provisioned for a proxy service
The actual risk level of the request hitting your server at this moment

How Real-Time Detection Works

Real-time IP intelligence works fundamentally differently. Instead of reading a cached row, the system actively probes and classifies the IP address:

Checks whether VPN or proxy ports are open right now
Verifies the connection type (residential, datacenter, mobile, hosting)
Correlates the IP against live threat intelligence feeds
Computes a risk score from 40+ weighted signals
Returns a verdict in under 50 milliseconds

Every flag that fires comes with evidence. When the system says "this IP is a VPN exit node," it also tells you the provider (NordVPN, ExpressVPN, etc.) and how it verified that claim.

A single API call returns everything: geolocation, network data, active VPN/proxy/Tor detection, WHOIS data, reverse DNS, abuse contacts, and an explainable 0-100 risk score.

Practical Use Cases

Account Security: Flag sessions originating from VPNs, Tor, or residential proxies before issuing a token. A risk score above 75 triggers 2FA.

Payment Fraud: Compare IP geolocation against the billing address in real time. A mismatch combined with a high risk score is a strong fraud signal.

Bot Mitigation: Datacenter IPs making 500 requests per minute to your signup endpoint aren't real users. Real-time classification identifies the infrastructure so you can block at the edge.

Compliance: Static databases misclassify CDN and cloud IPs. Real-time lookup with ASN-level accuracy prevents compliance gaps.

Build vs Buy

You could build this yourself: maintain probe servers, manage blocklists, implement port-scanning, build a scoring engine. Some large companies do. But it's a full-time team, not a side project.

Alternatively, GeoIPHub gives you 1,500 free lookups per day with no credit card. Every plan returns every data field. Unseen IPs are classified live in under 2.5 seconds, then cached for sub-millisecond retrieval.

If you're still relying on a weekly database download to make security decisions, you're working with information that's already outdated by the time it reaches your servers.

Try GeoIPHub free with 1,500 daily lookups.

How Meta's Conversions API (CAPI) Actually Works Behind the Scenes

Husnain Babar — Fri, 19 Jun 2026 05:09:10 +0000

If you're running Meta Ads, you're losing money on wasted ad spend. Here's why: your Pixel is broken.

iOS 14.5 killed browser-based tracking. Ad blockers destroy the Meta Pixel. Safari's ITP eats third-party cookies. Chrome is phasing them out too. By the time a user clicks your ad, visits your site, and converts, there's a 30-40% chance the Pixel never fired.

That means Meta's algorithm thinks the conversion didn't happen. It optimizes toward the wrong audience. Your CPA goes up. Your ROAS drops. You blame the creative.

The real problem is data loss, and the fix is Meta's Conversions API (CAPI) — a server-side tracking method that sends conversion data directly from your server to Meta, bypassing the browser entirely.

What Is the Conversions API?

The Conversions API is Meta's server-side tracking solution. Instead of relying on a JavaScript pixel in the user's browser, CAPI sends event data (PageView, AddToCart, Purchase, Lead, etc.) from your backend server directly to Meta's servers via HTTP POST requests.

The key insight: the browser is hostile territory for tracking. Ad blockers, browser privacy features, and mobile OS restrictions all break client-side pixels. CAPI moves the tracking to your server where none of that matters.

Tools like ClickFortify handle this integration automatically — you install it once and it manages both the Pixel and CAPI in parallel, with deduplication built in.

How CAPI Works Behind the Scenes

Here's the actual data flow when a user converts on your site with CAPI implemented:

1. User Action Occurs
A user completes a purchase, signs up, or performs any tracked event on your website.

2. Event Data Is Collected
Your server captures the event with key parameters: event name, event time, event value, currency, and user identifiers (hashed email, hashed phone, fbc, fbp, client IP, user agent).

3. Data Is Hashed (SHA-256)
All personally identifiable information is normalized and hashed using SHA-256 before transmission. Meta hashes the same way on their end, so they can match users without either side seeing plaintext. This is critical for privacy compliance.

4. Server Sends POST to Meta
Your server makes an HTTPS POST request to https://graph.facebook.com/v19.0/{PIXEL_ID}/events with the event payload, your access token, and the data processing options.

5. Meta Matches and Deduplicates
Meta receives the server event and attempts to match it to a user using the hashed identifiers. If a browser Pixel event also fired for the same action, Meta deduplicates using the event_id field — keeping only one record so the conversion isn't double-counted.

6. Meta Feeds the Ad Algorithm
The matched conversion feeds back into Meta's ad delivery system, helping it optimize toward users who are actually converting.

Why CAPI Is Better Than the Pixel Alone

Higher match quality: CAPI can send richer user data (server-side cookies, CRM data, login info) that the browser Pixel can't access. Meta reports CAPI improves match quality by 15-30% over browser-only tracking.

Bypasses ad blockers: Since the request comes from your server, not the browser, ad blockers can't intercept it. This recovers 20-40% of lost events depending on your audience.

Survives browser privacy changes: Safari ITP, Firefox ETP, and Chrome's cookie deprecation all break the Pixel. CAPI is unaffected because it doesn't rely on browser cookies.

Real-time click fraud detection: When paired with a tool like ClickFortify, CAPI events can be filtered before they reach Meta. If a click comes from a bot, VPN, or click farm, you can suppress the CAPI event entirely — preventing fraudulent conversions from polluting your ad data.

The Deduplication Problem

Most teams run both Pixel and CAPI together (recommended). But if both fire for the same purchase, Meta sees two conversions instead of one. This inflates your data.

The fix: every event needs a unique event_id (a UUID). Both the Pixel and CAPI send the same event_id for the same action. Meta sees matching IDs and keeps only one.

This sounds simple but it's where most DIY implementations fail. The event_id must be generated server-side, passed to the browser for the Pixel, and included in the CAPI payload — all within the same request window.

The Event Match Quality Score

Meta assigns each event an Event Match Quality (EMQ) score from 0 to 10. It measures how reliably the event was matched to a Meta user. Higher EMQ = better ad optimization.

Factors that improve EMQ:

More user identifiers (email + phone + fbc + fbp)
Server-side data that browser pixels can't capture
Accurate timestamps matching the actual user session
Properly formatted and hashed data

A browser-only Pixel typically scores 3-5 out of 10. With CAPI properly implemented, you can hit 7-9. That difference directly translates to lower CPA and better ROAS.

Implementation: DIY vs. Managed

DIY approach: You write the server-side code to hash data, build the payload, call the Graph API, handle deduplication, manage access tokens, retry failed requests, and monitor EMQ scores. For a small team, this is 2-3 weeks of engineering work plus ongoing maintenance.

Managed approach: Tools like ClickFortify handle all of this with a single integration. You add the script, configure your events, and the platform manages Pixel + CAPI in parallel with automatic deduplication, bot filtering, and EMQ optimization.

For most businesses spending $1,000+/month on Meta Ads, the managed approach pays for itself within the first week through recovered conversions alone.

The Bottom Line

If you're still running Meta Ads with only the browser Pixel, you're flying blind on 30-40% of your conversions. CAPI isn't optional anymore — it's the difference between Meta optimizing toward real customers vs. guessing in the dark.

The data loss problem is only getting worse as browsers add more privacy restrictions. The fix is straightforward: move tracking to the server. Whether you build it yourself or use a managed solution, implement CAPI before your next ad campaign.

Learn how ClickFortify handles CAPI, click fraud detection, and conversion tracking in one integration.

Detect VPNs, Proxies, and Bots in Your Web App: A Practical Guide

Husnain Babar — Fri, 19 Jun 2026 03:58:43 +0000

Every login attempt on your app could be a real user — or a bot running through a residential proxy in another country. If you can't tell the difference, you're leaving the door open to account takeovers, payment fraud, and credential stuffing.

The good news: your users' IP addresses already carry the signals you need. You just need to know how to read them.

The Problem with Legacy IP Databases

Most IP lookup solutions are just databases — static files you download and query locally. MaxMind's GeoIP2, for example, is updated weekly. That means:

VPN and proxy data is always stale. New exit nodes appear hourly. A weekly snapshot misses most of them.
No active detection. A database can tell you an IP was a proxy last Tuesday. It can't tell you if it's acting like one right now.
Risk scoring is guesswork. You get a category tag, not a real-time assessment.

If you're relying on this for fraud prevention, you're working with yesterday's data to stop today's attacks.

What Real-Time IP Intelligence Looks Like

Modern IP intelligence works differently. Instead of querying a static file, you make a single API call that returns everything in one shot:

GET https://api.geoiphub.com/v1/lookup?ip=203.0.113.42

The response gives you geolocation (country, region, city, coordinates, timezone), network data (ASN, ISP, connection type), active VPN/proxy/Tor detection, and a 0–100 risk score — all in one call, in under 50ms.

Here's what a typical response looks like:

{
  "ip": "203.0.113.42",
  "country": "Germany",
  "country_code": "DE",
  "city": "Frankfurt",
  "asn": 12345,
  "isp": "Example Hosting GmbH",
  "is_vpn": true,
  "is_proxy": false,
  "is_tor": false,
  "vpn_provider": "NordVPN",
  "connection_type": "datacenter",
  "risk_score": 78,
  "risk_factors": ["vpn_detected", "datacenter_ip", "open_proxy_ports"]
}

That risk_score is the key. It's not a guess — it's computed from 40+ weighted signals including network ownership, open-port probes, blocklist intelligence, and behavioral patterns. And every flag that fires comes with evidence, so you can audit why a decision was made.

Practical Example: Blocking Suspicious Logins

Here's a Python middleware pattern you can drop into any Flask or Django app:

import requests
from functools import wraps

GEOIPHUB_API_KEY = "your-api-key"

def check_ip_risk(ip_address):
    """Query GeoIPHub and return risk assessment."""
    resp = requests.get(
        "https://api.geoiphub.com/v1/lookup",
        params={"ip": ip_address},
        headers={"Authorization": f"Bearer {GEOIPHUB_API_KEY}"},
        timeout=3  # fail fast, don't block legitimate users
    )
    if resp.status_code != 200:
        return None  # API down — fail open, don't lock users out
    return resp.json()

def require_trusted_ip(f):
    @wraps(f)
    def decorated(*args, **kwargs):
        client_ip = get_client_ip()  # your own helper
        result = check_ip_risk(client_ip)

        if result and result.get("risk_score", 0) >= 75:
            # High risk — require 2FA or block outright
            return handle_high_risk(result)

        if result and result.get("is_vpn"):
            # VPN detected — flag but don't block
            log_suspicious_attempt(client_ip, result)

        return f(*args, **kwargs)
    return decorated

The key design choices here:

3-second timeout. If the API is slow or down, you fail open — never block a legitimate user because a third-party service is lagging.
Risk threshold, not hard blocks. A score of 75 triggers extra verification (2FA), not an outright ban. VPN usage alone is flagged, not blocked — plenty of legitimate users browse through VPNs.
Log everything. Even when you allow the request, record the signals for post-incident analysis.

Beyond Logins: Other Use Cases

The same lookup pattern works for:

Payment screening. Compare the IP geolocation against the billing address. A mismatch doesn't mean fraud, but it's a signal worth combining with others.
Bot detection. Datacenter IPs + open proxy ports + high request volume = almost certainly a bot. You don't need ML for the obvious cases.
Geo-compliance. If you need to block certain countries for regulatory reasons, the country_code field handles it without a separate database.
Content localization. The timezone and coordinates let you serve localized content without asking the user.

What to Look for in an IP Intelligence API

If you're evaluating options, here's what actually matters:

Feature	Why it matters
Active detection (not just database lookup)	VPNs and proxies change hourly, not weekly
Explainable risk score	You need to justify why a user was blocked
Every field on every plan	Don't get gated behind enterprise tiers for basic data
Sub-50ms response time	You're putting this in your request path
Generous free tier	You need room to test before committing

I've been using GeoIPHub for this — it's a real-time IP intelligence API that checks all those boxes. The free tier gives you 1,500 lookups a day with no credit card, and every plan returns every field (geolocation, VPN/proxy detection, ASN, risk score). Unseen IPs get classified live in under 2.5 seconds, then cached for sub-millisecond retrieval.

The Bottom Line

IP intelligence isn't optional anymore. Bots, credential stuffers, and fraud rings are sophisticated — they rotate through residential proxies, exploit compromised devices, and move faster than any weekly database update can track.

The fix is straightforward: query every login, every checkout, every signup against a real-time intelligence layer. Block or challenge the high-risk ones. Log the rest. It's a few lines of middleware that eliminate an entire class of attacks.

Want to try it yourself? GeoIPHub's free tier gives you 1,500 daily lookups with full data access — no credit card required.