Securing Webhook Endpoints

Built-in SSRF Protection

Server Scout includes robust Server-Side Request Forgery (SSRF) protection through the validateWebhookUrl() function. This security measure automatically blocks webhook URLs that target private IP ranges and potentially dangerous endpoints.

The following IP ranges are blocked by default:

  • 10.0.0.0/8 - Private Class A networks
  • 172.16.0.0/12 - Private Class B networks
  • 192.168.0.0/16 - Private Class C networks
  • 127.0.0.0/8 - Loopback addresses (localhost)
  • 169.254.0.0/16 - Link-local addresses

Additionally, Server Scout blocks:

  • localhost and variations (127.0.0.1, ::1)
  • Non-HTTP schemes (only http:// and https:// are permitted)
  • URLs that resolve to blocked IP ranges after DNS resolution

Why SSRF Protection Matters

SSRF attacks occur when an attacker manipulates server-side applications to make requests to unintended locations. In the context of webhooks, this could allow malicious users to:

  • Scan internal network infrastructure by providing internal IP addresses as webhook endpoints
  • Access sensitive services running on localhost (databases, admin panels, configuration APIs)
  • Bypass firewalls and access controls by using the monitoring server as a proxy
  • Enumerate internal services and gather reconnaissance data

Server Scout's validation prevents these attacks by ensuring webhook requests only target legitimate external endpoints.

Webhook Security Best Practices

Whilst Server Scout handles outbound security, you should implement additional measures on your webhook receiving endpoints:

1. Verify Source IP Addresses

Configure your webhook endpoint to only accept requests from your Server Scout installation's IP address:

# Nginx example
location /webhook {
    allow 203.0.113.10;  # Your Server Scout server IP
    deny all;
    
    proxy_pass http://localhost:3000;
}

2. Use HTTPS Exclusively

Always use HTTPS for webhook URLs to prevent interception:

# Good
https://api.example.com/webhooks/server-scout

# Avoid
http://api.example.com/webhooks/server-scout

3. Implement Webhook Signing

Add a secret token to your webhook URLs and verify it on the receiving end:

import hmac
import hashlib

def verify_webhook_signature(payload, signature, secret):
    expected = hmac.new(
        secret.encode('utf-8'),
        payload.encode('utf-8'),
        hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(signature, expected)

4. Rate Limiting

Implement rate limiting to prevent abuse:

# Using fail2ban
[server-scout-webhook]
enabled = true
port = https,http
filter = server-scout-webhook
logpath = /var/log/nginx/access.log
maxretry = 10
bantime = 300

Troubleshooting Webhook Validation Errors

When webhook URLs fail validation, you'll encounter specific error messages. Here's how to resolve common issues:

"URL contains blocked IP range"

Problem: Your webhook URL resolves to a private IP address.

Solution: Ensure your webhook endpoint uses a public IP address or domain name that doesn't resolve to private ranges.

# Check what IP your domain resolves to
nslookup your-webhook-domain.com
dig +short your-webhook-domain.com

"Invalid URL scheme"

Problem: You're using a non-HTTP protocol.

Solution: Change your webhook URL to use http:// or https://:

# Invalid
ftp://example.com/webhook
ws://example.com/webhook

# Valid  
https://example.com/webhook

"Localhost access blocked"

Problem: Your webhook URL targets localhost or loopback addresses.

Solution: Use the external IP address or domain name instead:

# Blocked
http://localhost:3000/webhook
http://127.0.0.1:3000/webhook

# Allowed (if publicly accessible)
http://203.0.113.10:3000/webhook
https://webhooks.yourcompany.com/alerts

Testing Webhook Connectivity

After configuring your webhook URL, test connectivity from your Server Scout server:

# Test HTTP connectivity
curl -I https://your-webhook-endpoint.com/path

# Check DNS resolution
dig +short your-webhook-endpoint.com

# Verify no private IPs in response
nslookup your-webhook-endpoint.com

Remember that webhook validation occurs both when you configure the URL and each time Server Scout attempts to send a notification. This dual-layer approach ensures ongoing security even if DNS records change after initial configuration.

Frequently Asked Questions

How do I set up secure webhook endpoints in ServerScout?

Use HTTPS URLs that point to public IP addresses or domains. ServerScout automatically validates webhook URLs and blocks private IP ranges (10.x.x.x, 192.168.x.x, 172.16-31.x.x) and localhost addresses. Additionally, implement IP allowlisting on your webhook receiver to only accept requests from your ServerScout server's IP address.

Why am I getting webhook validation errors saying blocked IP range?

This error occurs when your webhook URL resolves to a private IP address that ServerScout blocks for security. Check what IP your domain resolves to using nslookup or dig commands. Ensure your webhook endpoint uses a public IP address or domain name that doesn't resolve to private ranges like 192.168.x.x or 127.0.0.1.

How does ServerScout's SSRF protection work for webhooks?

ServerScout uses the validateWebhookUrl() function to automatically block webhook URLs targeting dangerous endpoints. It blocks private IP ranges, localhost variations, non-HTTP schemes, and performs DNS resolution checks to prevent URLs that resolve to blocked ranges. This prevents attackers from using ServerScout to scan internal networks or access localhost services.

What are the best practices for webhook authentication?

Always use HTTPS exclusively for webhook URLs to prevent interception. Implement webhook signing with secret tokens and verify signatures on the receiving end using HMAC-SHA256. Configure IP allowlisting to only accept requests from your ServerScout server's IP address, and implement rate limiting to prevent abuse of your webhook endpoints.

Which IP addresses does ServerScout block for webhook security?

ServerScout blocks private IP ranges including 10.0.0.0/8 (Class A), 172.16.0.0/12 (Class B), 192.168.0.0/16 (Class C), 127.0.0.0/8 (loopback), and 169.254.0.0/16 (link-local). It also blocks localhost variations and only permits HTTP/HTTPS schemes. This prevents SSRF attacks that could target internal infrastructure.

How can I fix localhost access blocked webhook errors?

Replace localhost or 127.0.0.1 addresses in your webhook URLs with external IP addresses or public domain names. Instead of http://localhost:3000/webhook, use your public IP like http://203.0.113.10:3000/webhook or a public domain like https://webhooks.yourcompany.com/alerts. The endpoint must be publicly accessible for ServerScout's validation to pass.

When does ServerScout validate webhook URLs?

ServerScout performs webhook validation twice: when you initially configure the webhook URL and each time it attempts to send a notification. This dual-layer approach ensures ongoing security even if DNS records change after the initial configuration, maintaining protection against SSRF attacks throughout the webhook's lifecycle.

Was this article helpful?

Related Articles