Hi all,
I have customers who are subscribed to our status page via webhooks. Some of them will monitor individual components of ours and automate switching to backup code in the event of a major outage.
The problem with this is that the endpoint for receiving these webhooks are exposed, so a malicious user could potentially abuse our customer's endpoints.
Is there an IP range for statuspage webhooks that our customers can add to an allowlist?
Hi @Bryan Matias -
Our IP addresses are subject to change at any time, so it's not recommended to allowlist webhooks by IPs for now.
We do have a feature request for implementing security mechanisms in webhook notifications. There currently isn't an ETA on this request, but I will add this community post to the internal ticket and will update you accordingly.
Any updates on this?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
same issue here, our webhook endpoints are publically exposed. HMAC implementation is the simplest and good enough I guess, but not sure why it's not implemented yet.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.