@mmoandev
Using https://search.arin.net/rdap/?query=198.241.206.38 you can see that A.Net could potentially use any IP addresss in the range 198.241.128.0 - 198.241.255.255. Here's my php code to verify that my webhook is being executed by A.Net.
// Convert remote IP address in the form of a string to an integer
$remoteIpAddrStr = $_SERVER['REMOTE_ADDR'];
$remoteIpAddrInt = ip2long($remoteIpAddr);
$anetIpLowInt = ip2long('198.241.128.0');
$anetIpHighInt = ip2long('198.241.255.255');
if ($anetIpLowInt <= $remoteIpAddrInt && $remoteIpAddrInt <= $anetIpHighInt)
{
// This request came from Authorize.Net - Visa
} else {
// Received bogus request from $remoteIpAddrStr!
}
Caution - you are under the impression that Webhooks provide real-time notifications. So far my testing of 18 authcapture webhooks found that there's a 5 - 24 second delay between the authcapture and the webhook executing. I need "real-time" reporting, like what I had with Relay Response. Hence I'm implementing code in my IFrameCommunicator.php receiveEventMessage() that posts to a URL on my server the transId value, and that code then sends the transId in a GetTransactionDetailsRequest to get all of the transaction details and compare them to what I've previously recorded in my database.