Allow user agent, possible?

  • Resolved monomatic

    (@monomatic)


    2 years, 6 months ago

    We are integrating with an external service (Klaviyo). They do not publish an IP list, instead they suggest white-listing their user agent.
    While this is less than ideal, it is something we would like to put in place so we can proceed.
    Is it possible to allow a user agent with wp-cerber? is there a hook to interact with the request and the decision process?
    Alternatively, we could add header information to the request (cloudflare or apache), is there something we can use to signal to wp-cerber to allow the request?

Viewing 5 replies - 1 through 5 (of 5 total)
  • Thread Starter monomatic

    (@monomatic)

    I do have the following in Traffic Inspector > Settings > Request Whitelist:

    {\/wp-json\/klaviyo\/*}

    Did you get anywhere with this as we are also hitting the same issue ourselves?

    I was thinking that we should add something into the anti spam section / query whitelist – but I am unsure if this would suffice or not?

    Plugin Author gioni

    (@gioni)

    While this is less than ideal

    I say more: this is awful and non-professional recommendation. Anyone can spoof the User-Agent string (UA) with easy. That’s why it’s not implemented in WP Cerber. If you need to grant access to a specific REST API route, you have to use the “Allow these namespaces” list on the “Hardening” tab. See more: https://wpcerber.com/restrict-access-to-wordpress-rest-api/

    I will also update my own ticket – however we have found actually that it was a plugin conflict that was stopping klaviyo working – suggest that you run a staging site and deactivate plugins until you find the one that clashes with your system – for us it was WC Currency Switcher
    I used postman to test against
    I have not had to change any settings within wp cerber at all

    Thread Starter monomatic

    (@monomatic)

    @gioni – agreed. Klaviyo are gaining a lot of traction these days and use AWS, I’m surprised their infrastructure works like this.

    I believe our issue was that we were using JWT auth, which caused problems with wp-cerber (it would identify consumer_key as non-existent username, impacting several external services and requiring white-listed IPs). Since disabling this we have klaviyo working and our other services aren’t being incorrectly picked up by wp-cerber.

    Thanks.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Allow user agent, possible?’ is closed to new replies.