IP Filtering

IP filtering allows you to restrict which IP addresses can send webhooks to your sources. Use allowlists to accept only known IPs, denylists to block malicious actors, or both for layered security.

Filter Modes

Mode	Description	Use Case
none	No IP filtering	Default, accept all IPs
allowlist	Only allow listed IPs	Known webhook providers
denylist	Block listed IPs	Known bad actors
both	Denylist checked first, then allowlist	Maximum security

IP Format Support

Hookbase supports multiple IP formats:

• Single IPv4: 192.168.1.100
• IPv4 CIDR: 10.0.0.0/8
• Single IPv6: 2001:db8::1
• IPv6 CIDR: 2001:db8::/32

Configuration

Via API

# Create source with allowlist only
curl -X POST "https://api.hookbase.app/api/sources" \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "GitHub Webhooks",
    "slug": "github",
    "ipFilterMode": "allowlist",
    "ipAllowlist": [
      "192.30.252.0/22",
      "185.199.108.0/22",
      "140.82.112.0/20"
    ]
  }'

# Create source with denylist only
curl -X POST "https://api.hookbase.app/api/sources" \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Public Webhooks",
    "slug": "public",
    "ipFilterMode": "denylist",
    "ipDenylist": [
      "1.2.3.4",
      "10.20.30.0/24"
    ]
  }'

# Create source with both (denylist checked first)
curl -X POST "https://api.hookbase.app/api/sources" \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Secure Webhooks",
    "slug": "secure",
    "ipFilterMode": "both",
    "ipAllowlist": ["10.0.0.0/8"],
    "ipDenylist": ["10.0.0.1"]
  }'

Via Dashboard

1. Navigate to Sources
2. Click Add Source or edit an existing source
3. Expand the Advanced Security section
4. Select an IP Filtering mode
5. Enter IPs/CIDRs (one per line)
6. Save the source

How Filtering Works

When a webhook arrives, Hookbase checks the client IP:

┌─────────────────┐
│ Incoming Request│
└────────┬────────┘
         │
         ▼
┌─────────────────┐     Yes    ┌─────────────┐
│ Mode = 'both'?  │───────────►│ On denylist?│──Yes──► REJECT (403)
└────────┬────────┘            └──────┬──────┘
         │ No                         │ No
         │                            ▼
         ▼                     ┌─────────────┐
┌─────────────────┐            │On allowlist?│──No───► REJECT (403)
│Mode='denylist'? │            └──────┬──────┘
└────────┬────────┘                   │ Yes
         │                            ▼
         │ Yes                     ACCEPT
         ▼
┌─────────────────┐
│  On denylist?   │──Yes──► REJECT (403)
└────────┬────────┘
         │ No
         ▼
      ACCEPT

┌─────────────────┐
│Mode='allowlist'?│
└────────┬────────┘
         │ Yes
         ▼
┌─────────────────┐
│  On allowlist?  │──No───► REJECT (403)
└────────┬────────┘
         │ Yes
         ▼
      ACCEPT

Rejected Requests

Blocked requests receive a 403 Forbidden response:

{
  "error": "IP not allowed",
  "clientIp": "1.2.3.4"
}

Blocked requests are logged but do not count toward your event quota.

Common Provider IPs

GitHub

192.30.252.0/22
185.199.108.0/22
140.82.112.0/20
143.55.64.0/20

GitHub publishes their IP ranges at: https://api.github.com/meta

Stripe

54.187.174.169
54.187.205.235
54.187.216.72
54.241.31.99
54.241.31.102
54.241.34.107

Stripe publishes their IP ranges in their documentation.

Slack

52.33.21.166/32
54.68.41.53/32
54.213.84.130/32
54.245.19.183/32

Best Practices

1. Use with signature verification: IP filtering adds a layer of security but shouldn't be the only protection
2. Keep lists updated: Provider IPs can change; subscribe to their notifications
3. Start with denylist: If you're unsure which IPs to allow, start by blocking known bad actors
4. Use CIDR notation: Ranges are more maintainable than individual IPs
5. Test before deploying: Verify your allowlist includes all legitimate sources

Updating IP Lists

# Update IP filtering on existing source
curl -X PATCH "https://api.hookbase.app/api/sources/{sourceId}" \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{
    "ipAllowlist": [
      "192.30.252.0/22",
      "185.199.108.0/22",
      "NEW_IP_RANGE"
    ]
  }'

Troubleshooting

Legitimate requests being blocked

1. Check the client IP in your webhook provider's dashboard
2. Verify the IP is in your allowlist
3. Check for CIDR notation errors (e.g., /24 vs /22)
4. Consider proxy headers if using a CDN

Malicious requests getting through

1. Ensure IP filtering mode is set correctly
2. Check if the attacker is using an allowed IP range
3. Consider combining with signature verification