We whitelisted the stripe IPs completely after getting burned once. If Stripe gets hacked so that the hackers jump off to our site, we have far bigger problems to worry about.
It seems like Cloudflare should be doing this for you. It wouldn't be hard for them to keep a list of IPs from common known-good integrations. They could prompt on first hit to ask you if you want to allow-list those companies, or even just do it by default.
Can you imagine the firestorm that would happen if CF was found to be allowing traffic from certain other entities, no matter how trustworthy they're perceived to be, to bypass security controls by default? And the firestorm would be entirely warranted.
danpalmer|3 years ago
JohnFen|3 years ago