you should trust your users with their location
With the advent of the Online Safety Act in the United Kingdom, many users have chosen to discover or rediscover VPNs.
This means that there will be a potential surge in users who appear to be from countries which are not the United Kingdom, despite their actual country of origin.
I have spun up a VPS which hosts an OpenVPN instance, the exit point for which is France. France, it turns out, have similar laws for age verification on Adult content, but many sites - such as Imgur - have chosen to specifically block British traffic due to the legal obligations the OSA puts in place.
Having routed all relevant traffic from my Ubiquiti Express 7 via the VPS, I am now discovering that a disproportionate amount of websites simply use your IP address to guess your location and determine your language and, in some cases, version of the website.
This is not the right way to determine your users location.
IPv4 is a finite resource, IP addresses change and are recycled. You cannot guarantee the country of an IP address will remain the same throughout its’ lifetime.
There are at least four better ways to do this:
1. Geolocation API
The geolocation API supported by all modern browsers provides a user opt-in way for the user to divulge their location. This gives you a longitude and latitude you can use to find the user’s country. This could be used, for example, to provide default shipping and cost information.
2. Navigator: Language
The HTTP Accept Language header allows you to find the client’s set language preferences. This is exposed client side (i.e. in JavaScript) by Navigator: Language which is also supported by all modern browsers. This could be used, for example, to provide the default selection for a user’s language.
3. (Big Company Idea) The Domain
You’re a big company. You have a .co.uk and a .fr and a .de domain name. Use that. Use this to determine where they might be wanting to buy a product from, or where they’re shipping it to.
4. The User
Just ask the user. Just ask them.
Unless you’re bound by some whacky laws on where you can distribute your digital content (in which case, good luck), stop guessing where your users are from. Use the modern APIs we have available, or just ask your user.
My blog does not host comments. If you want to discuss a post, or say hello, you can hit me up on BlueSky where I'm @ThomasChatting.dev or you can email me at hello (at) thomaschatting (dot) dev.