Static IP Delivery: Whitelist a Single IP for Webhooks
Hookbase now offers static IP delivery for outbound webhooks. Whitelist one IP address in your firewall and receive all webhook traffic through a dedicated, fixed endpoint.
The Firewall Problem with Webhook Delivery
If you have ever tried to receive webhooks behind a corporate firewall, you know the pain. Your security team asks a simple question: "What IP addresses should we whitelist?" And the answer, for most webhook platforms running on serverless infrastructure, is some variation of "it depends" or "here is a list of 2,000 CIDR ranges that might change."
Cloudflare Workers -- the infrastructure Hookbase runs on -- use a shared IP pool. The IP address that delivers your webhook today might be different tomorrow. For teams with strict network policies, this makes webhook integration either impossible or requires punching holes wide enough to undermine the firewall's purpose.
Today we are releasing Static IP Delivery, a feature that routes all outbound webhook traffic through a single, fixed IP address that you can whitelist once and forget about.
How It Works
When Static IP delivery is enabled for a destination, Hookbase changes the delivery path:
Without Static IP (default): Worker processes delivery -> Sends HTTP request directly from Cloudflare's edge -> Destination receives from unpredictable IP
With Static IP enabled: Worker processes delivery -> Sends request through Cloudflare Tunnel -> Go relay service on dedicated Hetzner server -> Destination receives from fixed IP address
The relay server runs on dedicated infrastructure with a static IP address that does not change. Traffic between the Cloudflare Worker and the relay travels through an encrypted Cloudflare Tunnel -- no ports are exposed on the server, and no traffic touches the public internet between the two.
Authentication and Security
Every request from the Worker to the relay is authenticated with HMAC-SHA256. The relay verifies the signature before forwarding any traffic. This prevents unauthorized use of the static IP endpoint even if someone discovers the tunnel address.
The relay also includes built-in SSRF protection:
- Private IP ranges blocked -- requests to
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16, and other private ranges are rejected - Cloud metadata endpoints blocked -- requests to
169.254.169.254and similar cloud provider metadata URLs are rejected - Localhost blocked -- no requests to
127.0.0.0/8or::1
These protections ensure that the relay cannot be used to probe internal networks, even if a destination URL is misconfigured or malicious.
Enabling Static IP Delivery
Dashboard
Navigate to your destination or endpoint settings. In the create or edit modal, you will find a Static IP Delivery toggle under the delivery options. It is enabled by default for eligible plans.
Per-Destination Control
Static IP delivery is configured individually for each destination. This gives you flexibility:
- Enable it for destinations behind corporate firewalls that require IP whitelisting
- Leave it disabled for destinations that do not need it, keeping deliveries on the faster direct path
- Mix and match across your organization as needed
Getting Your Static IP
Once you enable the feature, your organization's static IP address is displayed in your dashboard under Settings. Share this IP with your network team for firewall configuration. The IP is fixed and dedicated -- it will not change unless we explicitly notify you.
Architecture Details
For teams that want to understand the infrastructure:
| Component | Detail | |-----------|--------| | Relay Server | Dedicated Hetzner bare-metal server | | Relay Software | Go service with HTTP proxy capabilities | | Tunnel | Cloudflare Tunnel (encrypted, no exposed ports) | | Authentication | HMAC-SHA256 per-request signing | | SSRF Protection | Private IP and metadata endpoint blocking | | IP Stability | Fixed IP bound to dedicated hardware |
The Go relay is intentionally minimal. It receives authenticated requests from the Cloudflare Tunnel, validates the HMAC signature, checks the destination against the SSRF blocklist, and forwards the request. Response headers and body are passed back through the tunnel to the Worker, which records the delivery result as usual.
Because the tunnel is managed by Cloudflare, there are no open ports on the relay server. The only inbound traffic comes through the tunnel itself. This eliminates an entire class of network-level attacks against the relay infrastructure.
Plan Availability
Static IP delivery is available on Pro and Business plans.
| Plan | Static IP Delivery | |------|-------------------| | Free | Not available | | Starter | Not available | | Pro | Available | | Business | Available |
If you are on a Free or Starter plan, you can upgrade from Settings -> Billing to unlock the feature.
Performance Considerations
Adding the relay hop introduces a small amount of additional latency compared to direct delivery from the Cloudflare edge. In practice, this is typically 10-30ms depending on the geographic distance between the nearest Cloudflare data center and the relay server.
For most webhook use cases, this latency is negligible. Webhooks are asynchronous by nature, and the reliability benefits of a whitelistable IP address far outweigh a few milliseconds of additional delivery time.
If latency is critical and your destination does not require IP whitelisting, you can leave Static IP delivery disabled for that destination and benefit from Cloudflare's global edge delivery.
Common Use Cases
Enterprise SaaS integrations. Your customer's IT team requires a static IP before they will open their firewall to receive webhooks from your application. With Hookbase as your delivery layer, you hand them a single IP and move on.
Financial services. Banks and payment processors often mandate IP whitelisting for any inbound HTTP traffic. Static IP delivery lets you route payment webhooks to systems behind these strict network policies.
Healthcare systems. Hospital networks and EHR platforms frequently restrict inbound traffic to known IP addresses. Combined with Hookbase's Transient Mode for payload privacy, Static IP delivery makes healthcare webhook integrations practical.
Government and regulated industries. Agencies with FedRAMP or SOC 2 requirements often need to demonstrate that inbound traffic comes from known, documented sources. A static IP simplifies this compliance documentation.
What's Next
Static IP delivery is the first step in our network infrastructure roadmap. We are exploring dedicated IP pools for Business plan customers, regional IP options for data residency requirements, and IPv6 support.
If you have specific networking requirements for your webhook infrastructure, reach out to us at [email protected].