How to protect Webhook endpoint
53 views
Skip to first unread message
Walter Holohan
Dec 3, 2022, 9:37:47 AM12/3/22
to Strava API
Hi,
We use the Strava webhook (subscribtion) to get the last updates for our users. However the webhook endpoint is a public endpoint which opens us up to a potential attack by a bad actor. Is there anyway of protecting this endpoint? Having investigated, the only option I can see at the moment is to use IP whitelisting on the source IP of the request. If so does anyone have a list of IP ranges we can use?
Thanks,
Walter
We use the Strava webhook (subscribtion) to get the last updates for our users. However the webhook endpoint is a public endpoint which opens us up to a potential attack by a bad actor. Is there anyway of protecting this endpoint? Having investigated, the only option I can see at the moment is to use IP whitelisting on the source IP of the request. If so does anyone have a list of IP ranges we can use?
Thanks,
Walter
Message has been deleted
ActivityFix
Dec 9, 2022, 5:19:41 PM12/9/22
to Strava API
See my previous answer.
There's not much you can really do to protect the endpoint aside from whitelisting IPs. Security through obscurity isn't really safe or ideal but does buy you a little bit. You can always add in monitoring for abuse (e.g. multiple calls in a short period of time, especially if they contain invalid data or target users who haven't authorized the app).
Reply all
Reply to author
Forward
0 new messages