Securing a webhook endpoint

djackson · January 10, 2019, 11:03am

Hello,

We’re implementing a Contentful webhook endpoint - it’s a Lambda behind API Gateway - & we’d like to ensure that the endpoint only accepts requests from Contentful, I understand that it’s possible to set a secret header key/value, but am wondering whether it would be possible to whitelist Contentful’s IP range. Would this be stable enough to use for this purpose, and if so, are you able to share with us?

Thanks

stephan.schneider · January 10, 2019, 12:21pm

Hey @djackson,

in case you’re a committed customer, IPs can be found here: FAQs - What are the IP ranges for webhook calls?

Otherwise no guarantees are given yet with regards to IP ranges for on-demand customers. So using basic auth credentials seem to be quite a good solution to the problem in that case.

Best,
Stephan

Topic		Replies	Views
API residing in Azure to be invoked by Webhook Show us your content model! webhooks	2	742	June 10, 2021
Webhook Authentication for SalesForce Content Management API webhooks	0	609	June 12, 2020
Contentful Webhook to trigger Azure build, HTTP 401 Content Delivery API webhooks , webapp	1	749	June 26, 2021
No more webhook sent APIs webhooks	6	793	May 3, 2018
Do Webhooks retry on failure? APIs webhooks	0	313	December 13, 2022

Securing a webhook endpoint

Related Topics