FlightAware Discussions

Verify Authenticity of POST Request

I have a sever setup which receives a POST request for flight notifications. Everything is working great but I’d like to validate the authenticity of the POST request coming in before processing it (as it leads to a push notification).

What is the best way to do this? I’ve considered white listing the IP address of the Flight Aware servers but I’m not sure if these are subject to change.

Any recommendations?

One method is to call RegisterAlertEndpoint with a URL on your server that contains a parameter with a secret token, and ensure your endpoint is checking that value. For example: https://myserver.example.com/path/handler.cgi?secretkey=abc123

Using https instead of http is also generally recommended.

You can also verify that that remote IP address of the POST is from one of our server IPv4 blocks:

  • 70.42.6.128/25
  • 206.123.125.0/25
  • 216.52.171.64/26
  • 207.210.213.224/27

For IPv6:

  • 2607:c13:1002:4::/64
  • 2607:fdb8:0:119::/64
1 Like

Thanks for the suggestion. I’ve implemented the secret key technique after your suggestion, however I’m confused about the IP addresses.

When I inspect the IP from a POST coming from Flight Aware servers I see the IP as: 10.28.44.109 which does not look to be related to the IP addresses you posted above.

Am I missing something? I’ll admit I’m not familiar with IP blocks.

That is a RFC1918 address (i.e. it is internal to your local network); perhaps you have a reverse proxy in use?

1 Like

Are the given IP blocks up to date? I got a request from 216.52.171.103, which I don’t think is included in one of the two?

That earlier post was incomplete, so I’ve updated it to include 216.52.171.64/26, which is another IP block that we have been using for many years for FlightXML push notifications.