help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Reminder: Do not "whitelist" Fitbit IP addresses

ANSWERED

‎07-27-2015 11:21

‎07-27-2015 11:21

On Thursday, July 30, 2015 around 00:10 PDT, api.fitbit.com will begin resolving to multiple IP addresses different from its current IP address. Most applications using the Fitbit API will not be affected and no change will be required.

 

However, if your application is using an IP address "whitelist", it’s time to stop. Fitbit has never supported whitelisting of its IP addresses. Our new security measure will cause your IP whitelist to be incorrect frequently, which will result in your application breaking frequently without warning. Resolving api.fitbit.com according to its TTL is the supported implementation.

 

The IP addresses of the servers sending notifications for the Fitbit Subscriptions API will not be changing, but your application should not use an IP address whitelist for those either.

Best Answer
1 BEST ANSWER

Accepted Solutions

‎04-26-2016 12:41

In response to dlabelle

‎04-26-2016 12:41

@dlabelle: For its own security considerations, Fitbit reserves the ability to change its IP addresses at any time without prior notice.

 

We understand that using a more advanced firewall product or different firewall policy may not be options for all organizations. The tradeoff is that you must accept the fragility and maintenance that comes with IP address based whitelisting.

 

Fitbit currently uses CloudFlare in front of its Web API. CloudFlare maintains a set of IP addresses that can change without prior notice to Fitbit or anyone else. Fitbit also reserves the ability to use non-CloudFlare IP addresses if ever needed.

View best answer in original post

Best Answer
0 Votes
6 REPLIES 6

‎07-29-2015 16:43 - edited ‎07-30-2015 00:18

‎07-29-2015 16:43 - edited ‎07-30-2015 00:18

The change has been made. All systems remain operational.

Best Answer
0 Votes

‎10-13-2015 15:29

In response to JeremiahFitbit

‎10-13-2015 15:29

Fitbit disabled CloudFlare on 2015-07-31 due to a .Net issue. Fitbit will re-enable CloudFlare tomorrow, Wednesday, October 14, 2015. .Net applications will need to retry failed requests and petition Microsoft to address this issue.

Best Answer

‎04-26-2016 09:01

‎04-26-2016 09:01

what is the alternative to whitelisting an IP address?

Best Answer
0 Votes

‎04-26-2016 12:01

In response to dlabelle

‎04-26-2016 12:01

@dlabelle: What are you try to accomplish? Are you concerned about connections to Fitbit or requests from Fitbit's Subscriptions API?

Best Answer
0 Votes

‎04-26-2016 12:27

In response to JeremiahFitbit

‎04-26-2016 12:27

I work for a health care company and we are using Epic products to go out to fitbit and sync the data back into our portal. We load balance in the DMZ and have a firewall that does not support white listing domains. This makes connection impossible.

Best Answer
0 Votes

‎04-26-2016 12:41

In response to dlabelle

‎04-26-2016 12:41

@dlabelle: For its own security considerations, Fitbit reserves the ability to change its IP addresses at any time without prior notice.

 

We understand that using a more advanced firewall product or different firewall policy may not be options for all organizations. The tradeoff is that you must accept the fragility and maintenance that comes with IP address based whitelisting.

 

Fitbit currently uses CloudFlare in front of its Web API. CloudFlare maintains a set of IP addresses that can change without prior notice to Fitbit or anyone else. Fitbit also reserves the ability to use non-CloudFlare IP addresses if ever needed.

Best Answer
0 Votes