|
|
|
|
|
|
by TechBro8615
1036 days ago
|
|
|
I think the standard is to publish the IP addresses. I understand why companies request this, so they can open their firewalls to those addresses, but in terms of security the real answer is to use bidirectional mTLS, so that you just need to publish your public certificate rather than (or at least, in addition to) an IP address. Unfortunately, mTLS deployment is fairly complex and isn't a great solution for webhooks unless you control the library code on both ends (i.e., you're publishing client libraries for receiving the webhooks), or if you make it an opt-in feature for extra security. Otherwise the simple use case of "just set up a receiving HTTP server" becomes much more complicated and adds undue friction for developers implementing code to receive the hooks. |
|
|