Validating the Webhook S2S
To validate a Webhook, simply verify the IP it's coming from in the HTTP header.
Here it is the list of IPs from where we send the Webhooks S2S to publishers. Use these IPs to avoid security issues and validate incoming postbacks.
168.63.37.145
20.54.96.37
13.70.194.104
34.146.139.91
34.54.234.115
34.54.248.253
34.64.93.62
34.47.93.43
34.84.180.208
48.209.163.104
4.207.193.125
48.209.162.122 Securing X-Forwarded-For Header
When your service is behind a load balancer or reverse proxy, be aware of potential manipulation of the X-Forwarded-For header. This header is used to identify the originating IP address of the client connecting to the web server through an HTTP proxy or load balancer.
Risks:
Header Manipulation: Attackers can spoof the
X-Forwarded-Forheader to bypass IP restrictions.
Security Measures:
Trusting Proxies: Only trust headers from known proxies or load balancers. Each cloud platform adds the client IP address at a specific position in the
X-Forwarded-Forchain, which you should consider when validating the IP.AWS (ELB/ALB): AWS puts the true client IP at the beginning of the
X-Forwarded-Forlist.Google Cloud Platform (GCP): GCP adds the original client IP at the second-to-last position.
Azure: Azure load balancers append the real client IP at the last position.
Make sure to parse this header correctly depending on your cloud provider to avoid accepting a spoofed IP.
PHP Code Example for AWS:
// Function to get the real client IP when behind AWS ELB/ALB
function get_client_ip() {
// Check if X-Forwarded-For header exists
if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
// Split the X-Forwarded-For header into an array
$forwarded_ips = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
// The first IP in the list is the real client IP (AWS specific)
$client_ip = trim($forwarded_ips[0]);
} else {
// Fallback to REMOTE_ADDR if X-Forwarded-For is not present
$client_ip = $_SERVER['REMOTE_ADDR'];
}
return $client_ip;
}Like this comment
Last updated