I'm trying to setup a web server to handle the shopify webhooks about order info and get the product Inventory info with the api.
Just like the example
To be safety,I setup some firewall rules and want to make a whitelist of the IP addresses .
so that only Shopify's server can access our server.
I try to google to find something about the IP range of Shopify, but i got nothing.
Can you help me ?
You shouldn't have to be validating that requests are coming from Shopify on the network level. Our webhook requests come with a calculated HMAC signature to verify that the request in fact came from Shopify:
I know this is an old post, but @Alex, to be blunt that answer is not acceptable. People whitelist for a lot of reasons, only 1 of which might be to verify the request is coming from you. I'm running into this now with our Shopify integration and the biggest reason we want to whitelist is not to verify the shopify connection it is to AVOID ALL OTHER CONNECTIONS! Why expose a service that needs a request from 1 application to the entire world to be attacked and possibly compromised?!?
Can you confirm if Shopify still hasn't fixed this issue? It is pretty standard in the industry, even if that whitelist includes entire class-c ranges, to provide IPs for whitelisting for webhooks. The fact Shopify doesn't take this level of security seriously is very concerning.