question

benmadsen avatar image
benmadsen asked

Analytics Webhook Security / Source Validation

Are there any ways to validate that PlayFab webhook calls from the Analytics Webhooks definitions are actually from PlayFab? I don't see any sort of keys or preshared secrets or anything.

I get a little worried that someone could figure out the URL and send something over that looked like it was from PlayFab. Not hugely concerned, but it does mean I have to be careful about designing my webhook handlers.

webhooksanalytics
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
brendan avatar image
brendan answered

Currently, calls coming from PlayFab will only be from one of three IP Addresses: 34.213.208.16, 34.216.170.167, and 52.13.201.178.

3 comments
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

benmadsen avatar image benmadsen commented ·

Oh. Awesome. Thank you!

0 Likes 0 ·
mmitchell avatar image mmitchell commented ·

With the migration to Azure will these IP addresses be effected?

Ideally I would like webhooks to support things like AWS IAM so we can configure the webhook with AWS access and secret key and it can send appropriate headers.

0 Likes 0 ·
brendan avatar image brendan mmitchell commented ·

If there's any change needed there, we'll be announcing it well ahead of time. Right now, we don't have any specific date for a migration.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.