Webhooks Frequently Asked Questions
Author:
Fluent Commerce
Changed on:
5 Mar 2024
Overview
Fluent Commerce doesn't support static IP whitelisting due to AWS Cloud's dynamic nature. Instead, robust authentication measures are in place for webhook security, including cryptographic signing and signature verification. While static IPs aren't recommended, securing webhook endpoints is achievable by configuring unique URLs and firewall rules. Additionally, setting up custom authorizers or message queue validation enhances security. Each webhook establishes a single connection, with inbound and outbound calls dependent on workflow events. For detailed guidance, refer to Fluent's 'Webhook overview' documentation.
Key points
- Static IP Whitelisting: Fluent Commerce's AWS Cloud setup doesn't allow for static IP whitelisting due to the potential for IP address changes caused by scaling or architectural adjustments, as well as AWS's own IP address alterations.
- Authentication Measures: Instead of relying on IP Access Control Lists, Fluent Commerce employs strong authentication measures for webhook requests, including cryptographic signing with a private key and verification using a public key to ensure the request's legitimacy and integrity.
- IP-Based Restrictions: Implementing IP-based restrictions, such as whitelisting or IP ranges, is not recommended due to the dynamic nature of IP addresses in the AWS Cloud setup, which can lead to high exposure levels and difficulty in implementation.
- Alternative Approaches for Access Control: Instead of IP-based restrictions, companies can utilize firewall/networking equipment or reverse proxies to restrict access based on incoming HTTP request details, or configure unique, specific static URLs for incoming traffic to filter and accept connections securely.