Businesses relying on Stripe for online transactions know the importance of seamless webhook communication. But when Sucuri, a popular web application firewall (WAF), starts mistakenly identifying legitimate Stripe webhooks as threats, the result can be payment disruption, failed transactions, and unnecessary customer support overhead. If you’ve been struggling with this frustrating scenario, you’re not alone — and thankfully, there’s a precise fix.

TL;DR

If your Stripe webhooks are being blocked by Sucuri WAF due to false positives, the issue often arises from improper IP whitelisting or over-zealous WAF rules. Stripe’s servers rotate through various IPs that must be explicitly allowed in your WAF settings. By updating your Sucuri firewall with Stripe’s official IP addresses and disabling specific heuristic rules, you can instantly resolve the issue and restore smooth webhook functionality.

Understanding the Problem: Sucuri WAF and False Positives

Sucuri provides a robust defense against DDoS attacks, website hacks, and other malicious activities. It operates by screening incoming HTTP requests and blocking anything that looks remotely suspicious. While this is excellent for blocking bad actors, it can backfire when legitimate services like Stripe send webhook calls.

Stripe uses webhooks to notify your server of significant events — like successful payments, failed transactions, refunds, and subscription changes. These are essential to automating processes like updating customer records, inventory management, and revenue tracking.

The problem arises when Sucuri’s rules — especially heuristic filters attempting to detect SQL injection or code injection — mistakenly classify Stripe’s webhook payloads as malicious.

Common symptoms of this issue include:

  • Stripe dashboard shows repeated webhook delivery failures.
  • No incoming POST requests from Stripe visible in server logs.
  • Stripe retries requests multiple times due to 403 Forbidden or timeout errors.
  • Email notifications from Stripe warning about webhook failure.

Even though Sucuri is protecting your site, it may end up acting a bit too aggressively — blocking what it shouldn’t.

Identifying the Root Cause: False Positives Triggered by Stripe

When we dove deeper into server logs and Sucuri’s dashboard, the problem became clearer. Each Stripe webhook was receiving a 403 Forbidden response, or was being outright blocked from reaching the server. Viewing the incident logs in Sucuri, the following flags were repeatedly triggered:

  • SQLi heuristic pattern
  • Request body size exceeded threshold
  • POST request blocked due to malformed JSON (even when the JSON was valid)

Sucuri uses an evolving detection algorithm, and sometimes Stripe’s JSON payloads include characters or patterns (like quote marks, brackets, or certain keywords) that these heuristic engines algorithmically misinterpret as suspicious activity. This causes Sucuri to flag and drop the request, never allowing it to reach your application.

This was especially problematic during promotional campaigns, when large volumes of transactions created a flood of webhooks – many of which went nowhere.

The Proper Fix: Precise IP Whitelisting

While it’s tempting to just disable the firewall temporarily or whitelist the whole world for webhook URLs, that’s a security nightmare. The correct and secure fix involves a few strategic steps:

1. Retrieve Stripe’s Official IP addresses

Stripe publishes a list of IP ranges their webhooks originate from. This list is available from their official documentation and is regularly updated.

As of writing, here are example IPs (NOTE: these change, always check the official source):

3.18.12.63
3.130.192.231
13.235.14.237
13.235.122.149
18.211.135.69
35.154.171.200
52.15.183.38

2. Login to Sucuri’s Dashboard

Go to your Sucuri firewall settings and locate the Whitelist section under Access Control. Here, you can manually enter the exact IPs you want to allow through, bypassing all WAF checks.

3. Add All of Stripe’s IPs to the Whitelist

Make sure every single IP block provided by Stripe is added to the whitelist. Sucuri does a hard match, so missing even one IP can result in random webhook events failing intermittently.

4. Disable Blocked Actions for Webhook Endpoint

In Sucuri’s URL paths configuration, you can add your webhook listener endpoint (e.g., /stripe/webhook) and disable specific WAF rules just for that path. This avoids turning off the firewall globally while ensuring that Stripe’s requests aren’t unnecessarily blocked. The most helpful setting here is to:

  • Disable heuristic filtering for that specific path.
  • Allow larger POST body sizes if your Stripe events include metadata-heavy payloads.

This will ensure the endpoint accepts complex JSON payloads without interference.

Bonus Tip: Use Stripe’s Signing Secret

Even after whitelisting Stripe’s IPs, it’s still smart to verify the authenticity of every received webhook request. Stripe provides a signing secret that allows your server to cryptographically verify webhook payloads.

This helps ensure that even if some other source spoofed Stripe’s IPs and hit your webhook URL (unlikely, but possible), their requests would fail signature verification. Follow Stripe’s guide here to implement it.

The Impact: What Correct Whitelisting Solved

After configuring all of Stripe’s IPs within the Sucuri firewall and tuning WAF rule behavior for the webhook endpoint, the issue disappeared entirely. Webhooks started getting acknowledged instantly, Stripe’s retry mechanism was no longer active, and no events were lost.

In terms of workflow and user experience —

  • Customers stopped seeing delayed payment confirmations.
  • Support tickets about failed subscriptions dropped.
  • Backend automations like new user account creation worked dependably again.

A Note on Automation

Since Stripe’s list of IPs can evolve, it’s a good idea to set a quarterly calendar reminder to check for updates. Unfortunately, Sucuri doesn’t offer API-based whitelist automation, so the process remains manual. Being proactive about this is vital if you want to avoid another round of failed webhook deliverability.

Final Thoughts

Sucuri WAF is a powerful tool for keeping your web properties secure, but no security system is foolproof. False positives, especially on legitimate services like Stripe, can cause real business friction. Armed with the right IPs and a bit of WAF rule customization, you can keep your payment processing streamlined and secure.

Remember: Security doesn’t have to come at the expense of functionality. With careful configuration, you can keep both in harmony.