Cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Reminder: Do not "whitelist" Fitbit IP addresses

ANSWERED

On Thursday, July 30, 2015 around 00:10 PDT, api.fitbit.com will begin resolving to multiple IP addresses different from its current IP address. Most applications using the Fitbit API will not be affected and no change will be required.

 

However, if your application is using an IP address "whitelist", it’s time to stop. Fitbit has never supported whitelisting of its IP addresses. Our new security measure will cause your IP whitelist to be incorrect frequently, which will result in your application breaking frequently without warning. Resolving api.fitbit.com according to its TTL is the supported implementation.

 

The IP addresses of the servers sending notifications for the Fitbit Subscriptions API will not be changing, but your application should not use an IP address whitelist for those either.

Best Answer
1 BEST ANSWER

Accepted Solutions

@dlabelle: For its own security considerations, Fitbit reserves the ability to change its IP addresses at any time without prior notice.

 

We understand that using a more advanced firewall product or different firewall policy may not be options for all organizations. The tradeoff is that you must accept the fragility and maintenance that comes with IP address based whitelisting.

 

Fitbit currently uses CloudFlare in front of its Web API. CloudFlare maintains a set of IP addresses that can change without prior notice to Fitbit or anyone else. Fitbit also reserves the ability to use non-CloudFlare IP addresses if ever needed.

View best answer in original post

Best Answer
0 Votes
6 REPLIES 6

The change has been made. All systems remain operational.

Best Answer
0 Votes

Fitbit disabled CloudFlare on 2015-07-31 due to a .Net issue. Fitbit will re-enable CloudFlare tomorrow, Wednesday, October 14, 2015. .Net applications will need to retry failed requests and petition Microsoft to address this issue.

Best Answer

what is the alternative to whitelisting an IP address?

Best Answer
0 Votes

@dlabelle: What are you try to accomplish? Are you concerned about connections to Fitbit or requests from Fitbit's Subscriptions API?

Best Answer
0 Votes

I work for a health care company and we are using Epic products to go out to fitbit and sync the data back into our portal. We load balance in the DMZ and have a firewall that does not support white listing domains. This makes connection impossible.

Best Answer
0 Votes

@dlabelle: For its own security considerations, Fitbit reserves the ability to change its IP addresses at any time without prior notice.

 

We understand that using a more advanced firewall product or different firewall policy may not be options for all organizations. The tradeoff is that you must accept the fragility and maintenance that comes with IP address based whitelisting.

 

Fitbit currently uses CloudFlare in front of its Web API. CloudFlare maintains a set of IP addresses that can change without prior notice to Fitbit or anyone else. Fitbit also reserves the ability to use non-CloudFlare IP addresses if ever needed.

Best Answer
0 Votes