Webhook authentication - How do I know the caller is Strava?
260 views
Skip to first unread message
Ben Coomes
Nov 10, 2021, 6:25:18 PM11/10/21
to Strava API
Hi all,
I have recently set up my application with a subscription to receive events from Strava. Now I can update activities with the gear that was most likely used on the activity - hurrah!
But, how do I know that my callback endpoint is actually being called by Strava, and not some malicious party? If I trust every request, then my subscription callback endpoint could be abused to unsubscribe athletes from my application or exhaust my app's request limits.
I know for the initial subscription setup, subscribers can pass in a verification token which is then delivered by Strava in the subscription verification request. See the docs. But, that verification token is not sent in subsequent requests, as best I can tell. If it were, perhaps it could be used as a shared secret to validate the caller is actually Strava.
I don't think using the subscription ID as a secret to establish trust is viable - its just an integer and probably incremented at that.
So - how do I protect my application from malicious calls to its subscription endpoint?
Thanks!
I have recently set up my application with a subscription to receive events from Strava. Now I can update activities with the gear that was most likely used on the activity - hurrah!
But, how do I know that my callback endpoint is actually being called by Strava, and not some malicious party? If I trust every request, then my subscription callback endpoint could be abused to unsubscribe athletes from my application or exhaust my app's request limits.
I know for the initial subscription setup, subscribers can pass in a verification token which is then delivered by Strava in the subscription verification request. See the docs. But, that verification token is not sent in subsequent requests, as best I can tell. If it were, perhaps it could be used as a shared secret to validate the caller is actually Strava.
I don't think using the subscription ID as a secret to establish trust is viable - its just an integer and probably incremented at that.
So - how do I protect my application from malicious calls to its subscription endpoint?
Thanks!
ActivityFix Brandon
Nov 11, 2021, 12:58:15 PM11/11/21
to Strava API
You don't have a concrete way to verify it, however there are several things you can do to mitigate any malicious party. In no particular order:
- There are a limited set of IP ranges Strava will call your webhook from. Check against those. There's always a chance these change, but presumably that doesn't happen *too* often. I can't find a list anywhere, but these are the only 3 I've ever seen in my access logs. That doesn't mean it's all of them but it's a starting point.
- 52.4.243.43
- 52.70.212.225
- 54.209.86.301
- As you mentioned, check the subscription ID. While it isn't perfectly safe, there are enough subscriptions out there that someone would have to guess pretty accurately what yours is before you noticed a DDOS attack on your site. I think their current subscription ID is 6 digits so that's a lot of guessing. You'd need something on your end to actually prevent hundreds of thousands of calls to your API to try to guess the value.
- Your endpoint isn't published anywhere so I recommend giving it a less obvious name. Avoid things like "webhook" or "strava" or any combination of things that are easy to guess. Security through obscurity :)
If someone is really determined they can probably still get through, all you can do is make it more difficult. Also realize Strava's API won't allow anything "bad" to be done like deleting activities or changing privacy settings, and calls to your webhook can only specify an athlete and activity, so what you do is still controlled by your app. The worst possibilities are what you have mentioned -- unsubscribing athletes and using up your api limits.
Reply all
Reply to author
Forward
0 new messages