We need to whitelist Shopify's IPs ranges to allow the webhooks to our internal servers. Doing this on the application layer is not secure enough, and we need to do that on the network firewall. We know that the IPs may change, but we can update the firewall rules once the IPs changes.
Anyone can provide these ranges?
It will also be great if Shopify can have an up to date page on their documentation with the latest IPs used.
We do not provide IP ranges for whitelisting. Part of the reasoning is as you described, in that the IPs can change at any time. Just because you might be diligent and able to update the whitelist on in a timely manner, it doesn't mean a lot of other apps can or will which can lead to disruptions for merchants.
I probably can't give the entire reasoning too much justice, but that is at least part of it.
A development server should never be public in any way. We implement a firewall and whitelist for this.
Part of the reasoning is as you described, in that the IPs can change at any time.
Possible changes in IP addresses and/or ranges is not a valid reason. Why not publish an up to date list of server IP addresses like mailchimp does? In a DNS TXT record. This way whitelists can be kept up to date automatically and adds another layer of security.
ip.mailchimp.tips. 60 IN TXT "22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11"
Just because you might be diligent and able to update the whitelist on in a timely manner, it doesn't mean a lot of other apps can or will which can lead to disruptions for merchants.
If an app implements a whitelist, it's their responsibility to update it accordingly.
If an app does not implement a whitelist/is public, no problem.
I also saw some other posts, for example this one https://community.shopify.com/c/Shopify-APIs-SDKs/API-Webhook-IP-whitelist/td-p/189739
Which has the response: "No. Validate your webhooks and then it doesn't matter."
I totally disagree with this reasoning, and many will with me. It's not about verifying webhook calls from your servers. It's preventing any unauthorized others from accessing anything on the target server they shouldn't need access to. And development servers should be shielded, especially.
You might have more reasons to not publish a list of servers. But we have our reason(s) to keep our servers shielded. A very good one, security.
Please re-consider this. Attack surface reduction is a very common method for reducing security risk on information systems.
Ability to whitelist only Shopify IP subnets (even if there were a lot of them) as source for webhooks would be very much welcome.
As others have mentioned, this is not about authenticating requests from Shopify but to keep all unauthorized access blocked at IP level.
Blacklisting (possibly with WAF) is a viable alternative method but comes with unnecessary complexity as the number of authenticated sources
is very limited and known.