Businesses that rely on Stripe for online transactions know the importance of seamless webhook communications. But when Sucuri, a popular web application firewall (WAF), starts incorrectly identifying legitimate Stripe webhooks as threats, the result can be payment disruptions, failed transactions, and unnecessary customer support overhead. If you’re struggling with this frustrating scenario, you’re not alone – and luckily there is a precise solution.
TL; DR
If your Stripe webhooks are being blocked by Sucuri WAF due to false positives, the problem often stems from improper IP whitelisting or overzealous WAF rules. Stripe’s servers rotate through different IPs that must be explicitly allowed in your WAF settings. By updating your Sucuri firewall with Stripe’s official IP addresses and disabling specific heuristic rules, you can immediately resolve the issue and restore smooth webhook functionality.
Understanding the problem: Sucuri WAF and false positives
Sucuri provides robust defense against DDoS attacks, website hacks and other malicious activities. It works by screening incoming HTTP requests and blocking anything that looks remotely suspicious. While this is great for blocking bad actors, it can backfire when legitimate services like Stripe send webhook calls.
Stripe uses webhooks to notify your server of important events, such as successful payments, failed transactions, refunds, and subscription changes. These are essential for automating processes such as updating customer information, inventory management, and revenue tracking.
The problem occurs when Sucuri’s rules (especially heuristic filters that try to detect SQL injection or code injection) incorrectly classify Stripe’s webhook payloads as malicious.
Common symptoms of this problem include:
- The Stripe dashboard shows repeated failed webhook deliveries.
- No incoming POST requests from Stripe visible in server logs.
- Stripe retries requests multiple times due to 403 Forbidden or timeout errors.
- Email notifications from Stripe warning about webhook failure.
Even though Sucuri protects your site, it can still react a little too aggressively: it blocks what it shouldn’t.
Identifying the root cause: false positives caused by Stripe
As we dug deeper into Sucuri’s server logs and dashboard, the problem became clearer. Each Stripe webhook received one 403 Forbidden response, or was completely blocked from reaching the server. When viewing the incident logs in Sucuri, the following flags were repeatedly triggered:
- SQLi heuristic pattern
- Body size request exceeded threshold
- POST request blocked due to malformed JSON (even if the JSON was valid)
Sucuri uses an evolving detection algorithm, and sometimes Stripe’s JSON payloads contain characters or patterns (such as quotes, brackets, or certain keywords) that these heuristic engines algorithmically misinterpret as suspicious activity. This causes Sucuri to flag the request and delete it so it can never reach your application.
This was especially problematic during promotional campaigns, when high volumes of transactions created a flood of webhooks – many of which went nowhere.
The right solution: precise IP whitelisting
While it’s tempting to temporarily disable the firewall or whitelist the entire world for webhook URLs, that’s a security nightmare. The right and safe solution involves a few strategic steps:
1. Get Stripe’s official IP addresses
Stripe publishes a list of IP ranges where their webhooks come from. This list is available from them official documentation and is updated regularly.
At the time of writing, here are sample IPs (NOTE: these change, always check the official source):
3.18.12.63 3.130.192.231 13.235.14.237 13.235.122.149 18.211.135.69 35.154.171.200 52.15.183.38
2. Log in to Sucuri’s Dashboard
Go to your Sucuri firewall settings and find the Whitelist section below it Access control. Here you can manually enter the exact IP addresses you want to let through, bypassing any WAF checks.
3. Add all Stripe IPs to the whitelist
Make sure that every single IP block provided by Stripe is added to the whitelist. Sucuri does a hard match, so missing even one IP address can cause random webhook events to fail occasionally.
4. Disable blocked actions for Webhook endpoint
At Sucuri Configuration of URL pathsyou can add your webhook listener endpoint (for example, /stripe/webhook) and disable specific WAF rules for that path only. This prevents the firewall from being disabled globally and ensures that Stripe’s requests are not blocked unnecessarily. The most useful setting here is:
- Disable heuristic filtering for that specific path.
- Allow larger POST text sizes if your Stripe events contain metadata-heavy payloads.
This ensures that the endpoint accepts complex JSON payloads without interference.
Bonus tip: Use Stripe’s signing secret
Even after whitelisting Stripe’s IP addresses, it’s still smart to verify the authenticity of each webhook request received. Stripe provides a signing secret that allows your server to cryptographically authenticate webhook payloads.
This helps ensure that even if another source spoofed Stripe’s IPs and reached your webhook URL (unlikely, but possible), their requests would fail signature verification. To follow Stripe’s guide here to implement it.
The impact: which correct whitelisting is solved
After configuring all of Stripe’s IPs within the Sucuri firewall and tuning the WAF control behavior for the webhook endpoint, the problem disappeared completely. Webhooks were recognized immediately, Stripe’s retry mechanism was no longer active, and no events were lost.
In terms of workflow and user experience —
- Customers no longer saw delayed payment confirmations.
- Support tickets about failed subscriptions have been removed.
- Backend automations, such as creating new user accounts, worked reliably again.
A note on automation
Because Stripe’s list of IPs can evolve, it’s a good idea to set a quarterly calendar reminder to check for updates. Unfortunately, Sucuri doesn’t offer API-based whitelist automation, so the process remains manual. It’s critical to be proactive about this if you want to avoid another round of webhook deliverability failures.
Final thoughts
Sucuri WAF is a powerful tool for keeping your web assets safe, but no security system is infallible. False positives, especially on legitimate services like Stripe, can cause real business friction. Armed with the right IPs and a little tweaking of WAF rules, you can keep your payment processing streamlined and secure.
To remind: Security does not have to come at the expense of functionality. With careful configuration you can keep both in harmony.
#Sucuri #WAF #false #positives #blocking #Stripe #Webhooks #precise #Whitelist #solution #stopped #Reset