Validating the Webhook S2S

To validate a Webhook, simply verify the IP it's coming from in the HTTP header.

Here it is the list of IPs from where we send the Webhooks S2S to publishers. Use these IPs to avoid security issues and validate incoming postbacks.

168.63.37.145 
20.54.96.37 
13.70.194.104 
34.146.139.91
34.54.234.115 
34.54.248.253  
34.64.93.62   
34.47.93.43	     
34.84.180.208	 
48.209.163.104  
4.207.193.125    
48.209.162.122

Securing X-Forwarded-For Header

When your service is behind a load balancer or reverse proxy, be aware of potential manipulation of the X-Forwarded-For header. This header is used to identify the originating IP address of the client connecting to the web server through an HTTP proxy or load balancer.

Risks:

  • Header Manipulation: Attackers can spoof the X-Forwarded-For header to bypass IP restrictions.

Security Measures:

  • Trusting Proxies: Only trust headers from known proxies or load balancers. Each cloud platform adds the client IP address at a specific position in the X-Forwarded-For chain, which you should consider when validating the IP.

    • AWS (ELB/ALB): AWS puts the true client IP at the beginning of the X-Forwarded-For list.

    • Google Cloud Platform (GCP): GCP adds the original client IP at the second-to-last position.

    • Azure: Azure load balancers append the real client IP at the last position.

  • Make sure to parse this header correctly depending on your cloud provider to avoid accepting a spoofed IP.

PHP Code Example for AWS:

// Function to get the real client IP when behind AWS ELB/ALB
function get_client_ip() {
    // Check if X-Forwarded-For header exists
    if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
        // Split the X-Forwarded-For header into an array
        $forwarded_ips = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
        
        // The first IP in the list is the real client IP (AWS specific)
        $client_ip = trim($forwarded_ips[0]);
    } else {
        // Fallback to REMOTE_ADDR if X-Forwarded-For is not present
        $client_ip = $_SERVER['REMOTE_ADDR'];
    }

    return $client_ip;
}

Like this comment

PreviousWebhook S2S PostbackNextRejected S2S Webhook Postback

Last updated