Build vs. Buy: Writing Your Own GeoIP Redirect Script (Honest Tutorial)

TL;DR

The naive geo-redirect script is ~15 lines and takes an afternoon. Production-grade needs six more things: session capping, loop protection, query preservation, graceful API failure, a bot strategy, and an interface marketers can edit. Build if you control infrastructure and engineers own the rules; buy if marketing owns them.

Every engineer's first reaction to a geo-redirect tool is "I could write that in an afternoon." Correct! Here is that afternoon's output, followed by what it's missing. We sell the alternative, so discount accordingly — but the technical content below is real either way.

The naive version

fetch("https://ipapi.co/json/").then(r => r.json()).then(d => {if (d.country === "DE") location.href = "https://example.de"; });

This works in a demo. Deployed on a real site, it fails in six distinct ways within the first month.

The six production problems

1. The redirect trap. A German visitor clicks to your .com pricing page deliberately — and gets bounced back. Fix: a per-session flag so the redirect fires once. (sessionStorage, with try/catch — it throws in some private modes.)
2. Loops. Two pages redirecting at each other, or a rule targeting its own destination, ping-pongs the visitor. Fix: never redirect when the destination matches the current page.
3. Lost attribution. location.href = url drops the query string — UTM tags, ad click IDs, gone. Fix: carry the original query through, merging with any params on the destination.
4. API failure under load. Free geolocation tiers rate-limit; when they 429, your script must do nothing — visibly failing or blocking render is worse than not redirecting.
5. Bots. Decide deliberately what crawlers experience (see our SEO guide) — accidental behavior here has ranking consequences.
6. The marketing interface. The day after launch, marketing wants Austria added. With a hardcoded script, every rule change is an engineering ticket forever. This — not the code — is the real long-term cost.

Where DIY fits among the implementation options.

The honest decision framework

Build when you control the server or CDN (edge headers like CF-IPCountry make geolocation free and instant), the rules are stable and engineer-owned, and you accept owning the six problems above. Server-side is also architecturally cleaner — the redirect happens before paint. Buy when the site lives on a hosted CMS (no server access — HubSpot, Webflow, Squarespace), marketers own the rules, or the afternoon of building is worth less than the years of maintaining. The six problems are exactly what a managed tool is charging $19–49/month to have already solved.

Geo-redirects on your HubSpot site in 5 minutes

One script tag, no code, no DNS changes. Free plan included.

Start free

Frequently asked questions

Which geolocation APIs work for a DIY script?

ipapi.co, ipinfo.io, and ip-api.com all offer free tiers suitable for prototyping; MaxMind GeoLite2 is the standard self-hosted database. Watch two things on free tiers: rate limits (often 1k/day — one busy campaign exceeds that) and commercial-use clauses.

Why not just use the free tier forever?

Rate limits make geolocation silently fail under load — and a script without graceful failure handling then either redirects everyone wrongly or blocks rendering. Production traffic needs either a paid API tier or an edge provider that resolves country from headers.

When is building genuinely the right call?

When you control the server or CDN (so you can use edge headers for free), have engineering capacity for ownership (not just creation), and your rules are managed by engineers rather than marketers. All three together — otherwise the maintenance asymmetry favors buying.