# Validating the Webhook S2S

To validate a Webhook, simply verify the IP it's coming from in the HTTP header.

Here it is the list of IPs from where we send the Webhooks S2S to publishers. Use these IPs to avoid security issues and validate incoming postbacks.

```
168.63.37.145 
20.54.96.37 
13.70.194.104 
34.146.139.91
34.54.234.115 
34.54.248.253  
34.64.93.62   
34.47.93.43	     
34.84.180.208	 
48.209.163.104  
4.207.193.125    
48.209.162.122  
```

#### **Securing X-Forwarded-For Header**

When your service is behind a load balancer or reverse proxy, be aware of potential manipulation of the `X-Forwarded-For` header. This header is used to identify the originating IP address of the client connecting to the web server through an HTTP proxy or load balancer.

**Risks:**

* **Header Manipulation**: Attackers can spoof the `X-Forwarded-For` header to bypass IP restrictions.

**Security Measures:**

* **Trusting Proxies**: Only trust headers from known proxies or load balancers. Each cloud platform adds the client IP address at a specific position in the `X-Forwarded-For` chain, which you should consider when validating the IP.
  * **AWS (ELB/ALB)**: AWS puts the true client IP at the beginning of the `X-Forwarded-For` list.
  * **Google Cloud Platform (GCP)**: GCP adds the original client IP at the second-to-last position.
  * **Azure**: Azure load balancers append the real client IP at the last position.
* Make sure to parse this header correctly depending on your cloud provider to avoid accepting a spoofed IP.

**PHP Code Example for AWS:**

```
// Function to get the real client IP when behind AWS ELB/ALB
function get_client_ip() {
    // Check if X-Forwarded-For header exists
    if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
        // Split the X-Forwarded-For header into an array
        $forwarded_ips = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
        
        // The first IP in the list is the real client IP (AWS specific)
        $client_ip = trim($forwarded_ips[0]);
    } else {
        // Fallback to REMOTE_ADDR if X-Forwarded-For is not present
        $client_ip = $_SERVER['REMOTE_ADDR'];
    }

    return $client_ip;
}
```

Like this comment<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.mychips.io/reward-handling/validating-the-webhook-s2s.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.