FlightAware Discussions

RegisterAlertEndpoint Security

Hello,
Is there any way to secure the RegisterAlertEndpoint callbacks and validated it as a FlightXML call? like some fixed IP or some HTTP Header?

thank you

One method is to call RegisterAlertEndpoint with a URL on your server that contains a parameter with a secret token, and ensure your endpoint is checking that value. For example: https://myserver.example.com/path/handler.cgi?secretkey=abc123

Using https instead of http is also generally recommended.

You can also verify that that remote IP address of the POST is from one of our server IPv4 blocks:

  • 70.42.6.128/25
  • 206.123.125.0/25
  • 216.52.171.64/26
  • 207.210.213.224/27

For IPv6:

  • 2607:c13:1002:4::/64
  • 2607:fdb8:0:119::/64
2 Likes

Great idea, thanks for the answer

We have a authentication gateway that can receive the alerts based on IP. But i noticed we received the event from the IP 216.52.171.103. Can you please advise on which IPs to be used to authenticate?

The IP address blocks used by our data centers are listed in the above message (just updated with new ranges). We recommend using the above ranges, and not just single IP addresses, as we may need to migrate services to other addresses within those ranges.

1 Like

On this topic: I was wondering if you guys would consider buffing up the security of RegisterAlertEndpoint? Both source IP-based security and query parameter secrets are considered bad practices by some. Either header-based authentication or public key cryptography like AWS SNS uses would be better than what we have. Keep in mind that I’m no security expert, but this is simply what I’ve gathered from my reading.

1 Like