I need to whitelist Shopify’s source_ip ranges to allow webhooks/API calls to our internal servers.
I process traffic at the application layer, but only doing this this leaves me with gaps in our threat profile since it still allows anonymous hosts to contact internal resources not meant for access by the general public.
I’ve read Shopify’s existing arguments here regarding the lack of information on this topic–we find the reasoning to be unacceptable for our use case.
We know that the IPs may change, and understand why some clients may not be concerned with the IP addresses. But we are. And I can update firewall rules faster than I can rebuild our infrastructure after being compromised.
It’s bad enough that Shopify actively encourages the use of ngrok… would you kindly throw your paying customers a bone here and provide a proper source_ip whitelist?
as I am now in the same boat.