Authorize.Net Accept Hosted Notification Whitelist

When Authorize.net's server constructs an HTTP POST to the endpoint URL specified in the Webhook enrollment, a hash is included in the header. Your application can use the hash to verify the data integrity and authentication of the post message.

The body of the message is hashed with your signature key using HMAC SHA-512. The signature key can be obtained in the Authorize.Net Merchant Interface, at Account > Settings > Security Settings > General Security Settings > API Credentials and Keys.

The hash is sent in a custom header: X-ANET-Signature. Using the signature key, the body can be hashed again using the same algorithm. The calculated hash should match the hash sent in the header. If the hashes do not match, it could be an indication of a threat, and the Webhook message should be rejected.

Thanks.  We do plan to use this hash matching technique to validate the authenticity of the HTTP post.

As an additional layer of protection, is there any way to whitelist known IP's from which the HTTP post would originate?

Hi @mmoandev,

You can certainly do that, but I wouldn't recommend it. We can add additional IPs at any time, and you run the risk of blocking valid notifications.

That said, the current list is

• 198.241.206.38
• 198.241.207.38

@mmoandev

Using https://search.arin.net/rdap/?query=198.241.206.38 you can see that A.Net could potentially use any IP addresss in the range 198.241.128.0 - 198.241.255.255. Here's my php code to verify that my webhook is being executed by A.Net.

// Convert remote IP address in the form of a string to an integer

$remoteIpAddrStr = $_SERVER['REMOTE_ADDR'];

$remoteIpAddrInt = ip2long($remoteIpAddr);

$anetIpLowInt  = ip2long('198.241.128.0');

$anetIpHighInt = ip2long('198.241.255.255');

if ($anetIpLowInt <= $remoteIpAddrInt && $remoteIpAddrInt <= $anetIpHighInt)

{

    // This request came from Authorize.Net - Visa

} else {

    // Received bogus request from $remoteIpAddrStr!

}

Caution - you are under the impression that Webhooks provide real-time notifications. So far my testing of 18 authcapture webhooks found that there's a 5 - 24 second delay between the authcapture and the webhook executing. I need "real-time" reporting, like what I had with Relay Response. Hence I'm implementing code in my IFrameCommunicator.php receiveEventMessage() that posts to a URL on my server the transId value, and that code then sends the transId in a GetTransactionDetailsRequest to get all of the transaction details and compare them to what I've previously recorded in my database.