#mangle8582

Hello mangle8582, we'll be with you shortly! Below are links to other discussions we've had with you in the past week in case you want to review that information. If your question is related to one of these previous discussions, please provide a comprehensive summary of the current state and what you need help with now. We help many users simultaneously, so a summary allows us to resolve your issue as soon as possible.
• https://discord.com/channels/841573134531821608/1164195983429738637, 1 days ago, 7 messages

Hello! They don't change too often and when they do we also send an email with advance notice letting everyone know (this mailing list: https://groups.google.com/a/lists.stripe.com/g/api-announce)

Usually it's new IPS to be added or removing IPS?

But if a new request comes from a new api that i didn't hardcode it won't be accepted by my server.

https://stripe.com/files/ips/ips_webhooks.json

If i make the curl for this, i think i should be ok right?

Do you have a rate limiter on that url?

Hello! I'm taking over and catching up...

Hello!

I'm honestly not sure if we have rate limits set up on that JSON file. We probably do, but they're probably very high.

Can you set up your system to fetch that JSON file only when an unknown IP attempts a connection?

That's a nice ideea

That way you don't have to fetch it every time. You fetch it, cache the results, then wait for a new IP to come along before you fetch it again to check the new IP.

But is it really necessary to have restriction for ip?

req.header('Stripe-Signature'),

If we already have this, it shoudn't be enough for security reasons?

Yeah, if you're verifying signatures you don't need the IP restrictions on top of that. You certainly can do that, but the signature verification should be fine by itself.