I am looking for the list of domains that the application uses (e.g., api.strava.com, etc...) or a list of IP addresses for the application.
I need it in order to detect the traffic originated from Mobile users to Strava and allow this traffic while stopping all the other.
Many thanks for your help.
Solved! Go to Solution.
A safelist of IP addresses and/or IP address blocks is necessary. Otherwise it would be possible for anyone who knows my routes to call. Garmin provides this to its developers.
Here's what I've seen on my webhooks today:
My strategy without further support will be to allow only these that I see as a result of my interactions during development.
Please also remove blocking the sharing of IP addresses. Good grief.
Offering additional threat assessment and mitigations in the absence of an IP safelist:
When considering all of the exposed Strava endpoints on my webserver, I don't see any serious threats (other than DOS attacks) except the webhook callback, which needs some special attention:
Hope that helps,