Drawbacks of IP whitelist

Sibelius Seraphini - Jul 18 '23 - - Dev Community

At Woovi we think a lot about any tiny decision, and how it can impact our business and product in the short and long term.

One common request from our users it to be able to whitelist a set of IP, or an IP range to protect their Webhook callback endpoints that receive notification of a new payment received.

Providing a fixed set of IP for our users would cause a lot of drawbacks when scaling our services.

Drawbacks of IP whitelist

Imagine we have a list of fixed IPs, and we need to change them in the future. We would need to notify all our users to modify their IP whitelist to add the new IPs. For the ones that didn't modify in a timely fashion, it would break their payment integrations, causing a lot of customer support requests.

Another drawbacks of a fixed set of IPs are that they are easily target for hacker attacks.

A more robust approach

Security is non-negotiable for us.
Our users still need to validate if the payment confirmation notification comes only from Woovi servers.
To make this possible we sign all Webhooks notifications using our private key.
And user servers validate each request using Woovi Public Key.
This approach also ensure the payload was not tampered.

Below is a sample JavaScript code that can be used to validate a webhook payload.

import crypto from 'crypto';

const algorithm = 'sha256';
const signatureFormat = 'base64';

export const verifyPayload = (payload, signature) => {
  const publicKey = Buffer.from(WOOVI_PUBLIC_KEY_BASE64, 'base64').toString('ascii');

  const verify = crypto.createVerify(algorithm);

  verify.write(Buffer.from(payload));
  verify.end();

  const isValid = verify.verify(publicKey, signature, signatureFormat);

  return isValid;
};
Enter fullscreen mode Exit fullscreen mode

Here is our Public Key

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/+NtIkjzevvqD+I3MMv3bLXDt
pvxBjY4BsRrSdca3rtAwMcRYYvxSnd7jagVLpctMiOxQO8ieUCKLSWHpsMAjO/zZ
WMKbqoG8MNpi/u3fp6zz0mcHCOSqYsPUUG19buW8bis5ZZ2IZgBObWSpTvJ0cnj6
HKBAA82Jln+lGwS1MwIDAQAB
-----END PUBLIC KEY-----
Enter fullscreen mode Exit fullscreen mode

In Conclusion

Using a Private/Public key validation is simpler than doing IP whitelist or using HMAC.
We are adding the signature validation check to our all SDKs to make our users integration easier than ever.
We also want to make it easy to add this validation for most common firewall solutions like Cloudflare.

Woovi
Woovi is a Startup that enables shoppers to pay as they like. To make this possible, Woovi provides instant payment solutions for merchants to accept orders.

If you want to work with us, we are hiring!

Photo by Scott Rodgerson on Unsplash

Image
The Future of Construction: How Architectural BIM Services are Leading the Way

architectural, bim, services
Image
Higher-Order Components in React

webdev, javascript, programming, beginners
Image
Tokenomics: Designing a Sustainable Token Economy

webdev, tutorial, beginners
Image
Creating a Zelda Chat Assistant using Semantic Kernel

dotnet, ai, csharp, rag
Image
Mastering React Virtual DOM: Boost Your App Performance and Efficiency

javascript, react, webdev, programming
Image
Why are Quality Bookkeeping and Accounting Key to Business Success.
Image
New Jersey's Ambitious $500 Million AI Innovation Initiative

aimoonshot, newjerseyinnovation, aiinvestment
Image
The Cost of Ignorance: How Unfit Leaders are Derailing Your Software Company

startup, rails, ruby, management
Image
How can automation save restaurants from a big soup?

automation
Image
About Me
Image
From Virtual Reality to Virtual Worlds, these are the most popular people in the Metaverse.

mixedreality
Image
What is an Order Management System & its Key Benefits
Image
Streamline your Order Tracking with WhatsApp Chatbots

api, sdk, whatsapp, chatbot
Image
Choosing the Right API Architecture - A Deep Dive into RESTful API & gRPC Protocols

restful, api, grpc, architecture
Image
fivetamtam vn
Image
What is TAC and What is it For?

tac, imei, mobilephones
Image
selenium

selenium, trainingcourses, seleniumautomation
Image
Create a Warehouse Database In 3 Steps

data, database, datascience, warehouse
Image
What Are Order Management Systems and How Do They Work?
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .