Securing a webhook endpoint


We’re implementing a Contentful webhook endpoint - it’s a Lambda behind API Gateway - & we’d like to ensure that the endpoint only accepts requests from Contentful, I understand that it’s possible to set a secret header key/value, but am wondering whether it would be possible to whitelist Contentful’s IP range. Would this be stable enough to use for this purpose, and if so, are you able to share with us?


Hey @djackson,

in case you’re a committed customer, IPs can be found here: FAQs - What are the IP ranges for webhook calls?

Otherwise no guarantees are given yet with regards to IP ranges for on-demand customers. So using basic auth credentials seem to be quite a good solution to the problem in that case.