Skip to main content
Solved

List of domains that the application uses


Forum|alt.badge.img+1

Hi All, 
I am looking for the list of domains that the application uses (e.g., api.strava.com, etc...) or a list of IP addresses for the application. 

I need it in order to detect the traffic originated from Mobile users to Strava and allow this traffic while stopping all the other. 

Many thanks for your help. 

Best answer by Elliott

Hi there, 

We've escalated this request to our support team and your inquiry will be handled accordingly. 

View original
Did this topic help you find an answer to your question?

8 replies

Forum|alt.badge.img+20
  • Community Manager
  • 132 replies
  • Answer
  • March 21, 2023

Hi there, 

We've escalated this request to our support team and your inquiry will be handled accordingly. 


Forum|alt.badge.img+2
  • Hub Rookie
  • 3 replies
  • April 3, 2023

@Elliott11 Is there any response on that question? I also need to restrict the traffic to my server, and allow only connections from strava. Thanks.


Forum|alt.badge.img+2
  • Hub Rookie
  • 3 replies
  • April 12, 2023

Hi @Elliott11 

When we can expect the solution or any answer?


Forum|alt.badge.img+3
  • Hub Starter
  • 3 replies
  • August 23, 2023

Hello,

A safelist of IP addresses and/or IP address blocks is necessary. Otherwise it would be possible for anyone who knows my routes to call. Garmin provides this to its developers.

Here's what I've seen on my webhooks today:

My strategy without further support will be to allow only these that I see as a result of my interactions during development.

Please also remove blocking the sharing of IP addresses. Good grief.

Thanks,

Doug


Forum|alt.badge.img+3
  • Hub Starter
  • 3 replies
  • August 23, 2023

Offering additional threat assessment and mitigations in the absence of an IP safelist:

When considering all of the exposed Strava endpoints on my webserver, I don't see any serious threats (other than DOS attacks) except the webhook callback, which needs some special attention:

  • Token exchange endpoint (Where you redirect your users after the authorize page).
    • Threat model: This endpoint accepts a token code. The fact that a code exists means the user gave permission; interception is of no value. Moreover, only a legit user will have one that can be exchanged for an access token.
    • Mitigation: Detect a non-success status code from Strava at /oauth/token.
    • Caveats:  You can still get spammed (DDOSed) with bogus codes. Strava might think you are the threat calling /oauth/token too much.
  • Callback challenge (with hub_challenge and verify_token).
    • Threat model: Only Strava will have your verify_token.
    • Mitigation: Check the verify_token.
    • Caveats: 
      • You can still get spammed (DDOSed) with bogus codes. There's no call to Strava, so they don't think you are a threat.
      • Your token could be guessed (try until they get an echo back), but it's not of much value. The user will just get their challenge echoed back.
  • Webhook callback
    • Threat model:
      • Subscription IDs seem to be issued sequentially, and I am getting IDs less than 250,000, so it's possible someone could scan them linearly and discover yours.
    • Mitigations:
      • Check given subscription_id against your known ID(s).
      • Check owner_id against your known authorized users.

 

Hope that helps,

Doug


Forum|alt.badge.img
  • Hub Starter
  • 1 reply
  • February 27, 2024

Hey @Elliott11 ,

Is there any news about this subject? Thanks

 


Forum|alt.badge.img
  • Hub Starter
  • 1 reply
  • July 8, 2024

Hi,

I am having the same issue, can I get this IP Whitelist list also?

Regards

Andrzej


  • Hub Starter
  • 1 reply
  • September 23, 2024

There should be an official list of IP addresses provided in the documentation. Has there been any progress on this point?


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept, you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings