New — webhooks your AI agents can wait on. Hook & Sense opening to early access.

Glossary

IP Allowlisting

Accepting webhook traffic only from the sender's published IP ranges. A defense-in-depth layer — never a substitute for signature verification.

Some providers publish the IP ranges their webhooks originate from — Stripe has a static list, GitHub exposes ranges via its /meta API endpoint. Configuring your firewall or load balancer to accept webhook traffic only from those ranges cuts off drive-by probing of your endpoint before a single byte reaches your handler.

It's a brittle control on its own: providers add and rotate ranges (which is why GitHub serves them from an API, not docs), traffic may arrive via proxies or CDNs that mask the source, and an allowlisted IP proves only where a request came from — not that its body is authentic or untampered. Compliance checklists often require it; security actually comes from the signature.

The layering that works: allowlist at the edge to reduce noise, verify the HMAC signature in the handler to establish authenticity, and enforce timestamp tolerance to kill replays. Each layer catches what the previous one can't.

How HookSense helps

HookSense records the source IP of every captured callback alongside its headers and verified signature — so an agent (or you) can audit exactly which addresses are hitting an endpoint before deciding an allowlist is worth the maintenance.

Get a free webhook URL

Related terms