07-27-2015 11:21
07-27-2015 11:21
On Thursday, July 30, 2015 around 00:10 PDT, api.fitbit.com will begin resolving to multiple IP addresses different from its current IP address. Most applications using the Fitbit API will not be affected and no change will be required.
However, if your application is using an IP address "whitelist", it’s time to stop. Fitbit has never supported whitelisting of its IP addresses. Our new security measure will cause your IP whitelist to be incorrect frequently, which will result in your application breaking frequently without warning. Resolving api.fitbit.com according to its TTL is the supported implementation.
The IP addresses of the servers sending notifications for the Fitbit Subscriptions API will not be changing, but your application should not use an IP address whitelist for those either.
Answered! Go to the Best Answer.
04-26-2016 12:41
04-26-2016 12:41
@dlabelle: For its own security considerations, Fitbit reserves the ability to change its IP addresses at any time without prior notice.
We understand that using a more advanced firewall product or different firewall policy may not be options for all organizations. The tradeoff is that you must accept the fragility and maintenance that comes with IP address based whitelisting.
Fitbit currently uses CloudFlare in front of its Web API. CloudFlare maintains a set of IP addresses that can change without prior notice to Fitbit or anyone else. Fitbit also reserves the ability to use non-CloudFlare IP addresses if ever needed.
07-29-2015 16:43 - edited 07-30-2015 00:18
07-29-2015 16:43 - edited 07-30-2015 00:18
The change has been made. All systems remain operational.
10-13-2015 15:29
10-13-2015 15:29
Fitbit disabled CloudFlare on 2015-07-31 due to a .Net issue. Fitbit will re-enable CloudFlare tomorrow, Wednesday, October 14, 2015. .Net applications will need to retry failed requests and petition Microsoft to address this issue.
04-26-2016 09:01
04-26-2016 09:01
what is the alternative to whitelisting an IP address?
04-26-2016 12:01
04-26-2016 12:01
@dlabelle: What are you try to accomplish? Are you concerned about connections to Fitbit or requests from Fitbit's Subscriptions API?
04-26-2016 12:27
04-26-2016 12:27
I work for a health care company and we are using Epic products to go out to fitbit and sync the data back into our portal. We load balance in the DMZ and have a firewall that does not support white listing domains. This makes connection impossible.
04-26-2016 12:41
04-26-2016 12:41
@dlabelle: For its own security considerations, Fitbit reserves the ability to change its IP addresses at any time without prior notice.
We understand that using a more advanced firewall product or different firewall policy may not be options for all organizations. The tradeoff is that you must accept the fragility and maintenance that comes with IP address based whitelisting.
Fitbit currently uses CloudFlare in front of its Web API. CloudFlare maintains a set of IP addresses that can change without prior notice to Fitbit or anyone else. Fitbit also reserves the ability to use non-CloudFlare IP addresses if ever needed.