We whitelisted the stripe IPs completely after getting burned once. If Stripe gets hacked so that the hackers jump off to our site, we have far bigger problems to worry about.
It seems like Cloudflare should be doing this for you. It wouldn't be hard for them to keep a list of IPs from common known-good integrations. They could prompt on first hit to ask you if you want to allow-list those companies, or even just do it by default.
Can you imagine the firestorm that would happen if CF was found to be allowing traffic from certain other entities, no matter how trustworthy they're perceived to be, to bypass security controls by default? And the firestorm would be entirely warranted.
I see your point, but I think there is a version of this that would be fine. I imagine these rules would be shown in the product so users can see the configuration and override it, perhaps it's an explicit opt-in, perhaps there's a public application process for inclusion or some sort of stated conditions so that it's not seen as too political which services are chosen... there are lots of options.
I agree. I was really responding to having such a pass be enabled by default. The defaults for any security system should be toward maximal security. Users being able to loosen the rules to fit their situation is fine and desirable.