Webhooks Security

Report · Sep 23, 2021

Hi all, I have been read the webhook documentation (https://www.adobe.io/apis/documentcloud/sign/docs.html#!adobedocs/adobe-sign/master/webhooks.md#secu... and I know there is the Two-way SSL authentication, but is there another security that client server could do? Some extra security?
Like whitelist the adobe webhook IP's range.
I read that "your webhook URL must not be blocked by a firewall", but if I only open/available the URL for some IP's (adobe IP's) it will avoid the webhook?
Also I see that "the client URL must be available on the public internet", but the must avaliable for everybody, every IP?
Is there some reason to use only 2-way SSL?

Report · Sep 30, 2021

2-way is optional you don't have to use it. It'll be the Adobe Sign server which will pring Post messages to the url, so only the Adobe Sign ip adresses need to be able to access the url.

See also the security section on the link you shared.

Report · Sep 30, 2021

So, is It possible to Adobe give the IP`s address range from webhook?

Report · Sep 30, 2021

no not that way.

You can only do this on the url server and allow listing Adobe's IP range.

You cannot tell Adobe to just contact your ip range. There you can only use 2-way tsl/ssl

Report · Sep 30, 2021

Ok, but Can Adobe tell me the IP range from his webhook ? Or Adobe IP's range ?
That I could block any another request which is not from Adobe IP range's

Report · Oct 01, 2021

Sign ip addressess are listed in the system requirements article:

https://helpx.adobe.com/in/sign/system-requirements.html