Skip to main content

Hi All, 
I am looking for the list of domains that the application uses (e.g., api.strava.com, etc...) or a list of IP addresses for the application. 

I need it in order to detect the traffic originated from Mobile users to Strava and allow this traffic while stopping all the other. 

Many thanks for your help. 

Hi there, 


We've escalated this request to our support team and your inquiry will be handled accordingly. 

@Elliott11 Is there any response on that question? I also need to restrict the traffic to my server, and allow only connections from strava. Thanks.

Hi @Elliott11 

When we can expect the solution or any answer?

Hello,

A safelist of IP addresses and/or IP address blocks is necessary. Otherwise it would be possible for anyone who knows my routes to call. Garmin provides this to its developers.

Here's what I've seen on my webhooks today:

My strategy without further support will be to allow only these that I see as a result of my interactions during development.

Please also remove blocking the sharing of IP addresses. Good grief.

Thanks,

Doug

Offering additional threat assessment and mitigations in the absence of an IP safelist:

When considering all of the exposed Strava endpoints on my webserver, I don't see any serious threats (other than DOS attacks) except the webhook callback, which needs some special attention:

  • Token exchange endpoint (Where you redirect your users after the authorize page).
    • Threat model: This endpoint accepts a token code. The fact that a code exists means the user gave permission; interception is of no value. Moreover, only a legit user will have one that can be exchanged for an access token.
    • Mitigation: Detect a non-success status code from Strava at /oauth/token.
    • Caveats:  You can still get spammed (DDOSed) with bogus codes. Strava might think you are the threat calling /oauth/token too much.
  • Callback challenge (with hub_challenge and verify_token).
    • Threat model: Only Strava will have your verify_token.
    • Mitigation: Check the verify_token.
    • Caveats: 
      • You can still get spammed (DDOSed) with bogus codes. There's no call to Strava, so they don't think you are a threat.
      • Your token could be guessed (try until they get an echo back), but it's not of much value. The user will just get their challenge echoed back.
  • Webhook callback
    • Threat model:
      • Subscription IDs seem to be issued sequentially, and I am getting IDs less than 250,000, so it's possible someone could scan them linearly and discover yours.
    • Mitigations:
      • Check given subscription_id against your known ID(s).
      • Check owner_id against your known authorized users.

 

Hope that helps,

Doug

Hey @Elliott11 ,

Is there any news about this subject? Thanks

 

Hi,

I am having the same issue, can I get this IP Whitelist list also?

Regards

Andrzej

There should be an official list of IP addresses provided in the documentation. Has there been any progress on this point?

Reply


Terms & ConditionsCookie settings