Whitelist Shopify IPs to allow Webhooks

Reeham_Raed
Shopify Partner
3 0 3

Hi All,

 

We need to whitelist Shopify's IPs ranges to allow the webhooks to our internal servers. Doing this on the application layer is not secure enough,  and we need to do that on the network firewall. We know that the IPs may change, but we can update the firewall rules once the IPs changes. 

Anyone can provide these ranges? 

 

It will also be great if Shopify can have an up to date page on their documentation with the latest IPs used.

 

Regards

Raed

Replies 10 (10)

Alex
Shopify Staff
1561 81 341

We do not provide IP ranges for whitelisting. Part of the reasoning is as you described, in that the IPs can change at any time. Just because you might be diligent and able to update the whitelist on in a timely manner, it doesn't mean a lot of other apps can or will which can lead to disruptions for merchants.

 

I probably can't give the entire reasoning too much justice, but that is at least part of it.

 

Cheers.

Alex | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

Jspeedz
Visitor
1 0 20

Hello Alex,

 

A development server should never be public in any way. We implement a firewall and whitelist for this.

 

Part of the reasoning is as you described, in that the IPs can change at any time.

Possible changes in IP addresses and/or ranges is not a valid reason. Why not publish an up to date list of server IP addresses like mailchimp does? In a DNS TXT record. This way whitelists can be kept up to date automatically and adds another layer of security.

 

ip.mailchimp.tips.	60	IN	TXT	"35.196.47.179 35.196.100.107 35.227.92.85 34.73.90.1 34.74.96.47"

 

Just because you might be diligent and able to update the whitelist on in a timely manner, it doesn't mean a lot of other apps can or will which can lead to disruptions for merchants.

If an app implements a whitelist, it's their responsibility to update it accordingly.

If an app does not implement a whitelist/is public, no problem.

 

 

I also saw some other posts, for example this one https://community.shopify.com/c/Shopify-APIs-SDKs/API-Webhook-IP-whitelist/td-p/189739

Which has the response: "No. Validate your webhooks and then it doesn't matter."

 

I totally disagree with this reasoning, and many will with me. It's not about verifying webhook calls from your servers. It's preventing any unauthorized others from accessing anything on the target server they shouldn't need access to. And development servers should be shielded, especially.

 

You might have more reasons to not publish a list of servers. But we have our reason(s) to keep our servers shielded. A very good one, security.

Geordie_ca
Tourist
7 1 2

I also agree with Jspeedz.

 

What is making this worse, is Shopify's move to their FulfilmentOrder process that makes the implementation of callbacks mandatory.  As of March 31st, 2023, we will need to retire our fulfilment and payment capture integration, as we can not update an order to fulfilled status without first accepting the fulfilment via a fulfilmentOrder callback.

 

This is very frustrating and could result in migrating our B2C website to another platform, as it is a minor part of our business compared to B2B.  We can't put that business a risk, by disabling a major part of our integration API security, for Shopify. 

 

I'm very disappointed when business don't care about their customer security...

plunk85
Tourist
3 0 3

Shopify seem to have no interest in responding to this request from anyone. From what i can see, the entire Shopify IP range is as follows: 23.227.32.1/19

Hopefully this helps someone out there

kauppi
Visitor
1 0 10

Hi,

 

Please re-consider this. Attack surface reduction is a very common method for reducing security risk on information systems.

Ability to whitelist only Shopify IP subnets (even if there were a lot of them) as source for webhooks would be very much welcome.

 

As others have mentioned, this is not about authenticating requests from Shopify but to keep all unauthorized access blocked at IP level.

Blacklisting (possibly with WAF) is a viable alternative method but comes with unnecessary complexity as the number of authenticated sources

is very limited and known.

 

Thanks,

antonygrace
Visitor
1 0 0

@Alex  Additional call for this - we will be unable to implement an integration with a 3rd party which does whitelist their services - they require us to provide external IPs for them to whitelist and I naturally assumed this would be a simple case of looking this up on the Shopify website, only to be led here....

There really is no good reason for not doing this - as has been noted, it's a standard practice nowadays.

Lighttech
Visitor
1 0 0

We are also facing this same dilemma.

Looking to pull data through an api from an in house server and want to keep our firewall as secure as possible.

What I am finding the most disturbing is that Alex as the representative for shopify doesn't seem to get why this is essential.

Everything stated so far as I read it,  is about shopify's security with no regard to the security of their clients.

These api's are using the most common ports on the internet. You just don't open those up to an internal lan or even a dmz lan.

I ran this by my internet security/firewall consultant, he nearly had apoplexy.

Yes, ip addresses change. The only things guaranteed are death and taxes. I just can't fathom this vague Non-answer.

y_saito
Tourist
7 0 0

I want to test on the development server, so I want to know the range of IP addresses currently in use.

Can you tell me the range of IP addresses currently used for webhooks?

I just want to whitelist and test it now, so it doesn't matter if the IP address changes in the future.

SGTX
Shopify Partner
1 0 1

Any news regarding this ? Is there any other alternative ?

jsb
Shopify Partner
3 0 3

This is an old thread but came here to second this.  We were hoping to protect our pre-prod standalone app with a network firewall and found there's no IP ranges to whitelist. So if we want it to be functional that won't work.  It would be really great if this info was available.  I really don't like leaving pre prod resources open to the internet