#tounka-webhook-ips

Hi 👋

You can examine the webhook requests sent directly and we will always use the same headers.

got it. is the webhook signature enough or do yall typically recommend checking the IP/Origin of the request too?

Webhook signature verification is sufficient to validate the requests come from Stripe: https://stripe.com/docs/webhooks/signatures

got it. How often are these changed? https://stripe.com/docs/ips#webhook-notifications

@unreal geode depends on the years

tounka-webhook-ips

what do you mean by that?

Also, is the Stripe webhook considered a CORS request?

some years we don't touch them, other years we add new ones multiple times. There isn't really a set schedule

And no it's a normal HTTPS request, you can't control the headers and have to allow list the IPs or do signature verification or put a secret in the URL

do you recommend just using the webhook signautre or having the signature and an allowlist

signature is usually enough. Allow list would be more if you're worried about someone sending many fake requests and you want to guarantee the request comes from Stripe

got it. is it possible to just allow the domain dashboard.stripe.com instead of the IP addresses?

no that doesn't make sense, the requests would not come from a URL and have nothing to do with the Dashboard

It's a network request, you can only allow IP addresses

okay

should i use the x-real-ip header or x-forwarded-for to check for the IP?

not sure, I'd recommend trying this in Test mode, seeing real requests come in and compare

both headers have the Stripe IP. wasn't sure if one was recommended over the other

https://security.stackexchange.com/questions/95865/difference-between-x-forwarded-for-ip-x-real-ip-vpns-and-tor

I would assume x-real-ip is enough unless you do some forwarding in your network

thanks for your help!

sure thing!