# IP Whitelisting

SocketXP Public Web URLs could potentially be accessed by anyone who knows about your random public URL. To prevent any unwanted online users from accessing your webservice, use the SocketXP security feature named IP Whitelisting (opens new window).

Create an IP Whitelist for your organization in the SocketXP portal Page (opens new window). Add the public IP addresses or the public IP prefixes of the networks from which you would access your webservice. This way only those who access your web service from these IP addresses will be permitted to access your private webservice.

Tip:

It is highly advisable that you add only static public IP addresses from which you want to remote access your IoT device's web service. Usually corporates have static public IP addreses assigned to their gateways/firewall instances. Use these static public IP addresses for IP Whitelisting.

# How to know your public IP address?

Ask your IT admins and they'll be the right people to know the list of your corporate public IP addresses. Alternatively, you could ask Google "what's my IP" and it will show your current public IP address. Add this IP to your IP Whitelist before you plan to access your web service remotely from any location from your office intranet. However, if your corporate internet gateway has many public IP addresses, they may load-balance the outbound traffic to internet via many different public IP addresses. So you may need to repeat the "google and update IP Whitelist" exercise quite a few times, initially.

In case you don't have a static public IP address, and you want to remote access your web service temporarily from a coffee shop or from your home wifi network, again ask Google to display your current ephemeral public IP address assigned to the wifi device. Add this to the IP Whitelist temporarily. Make sure you delete this ephemeral public IP address from the whitelist after you are done with your remote access. If not, anyone from the coffee shop or home network could access your web serivce via the SocketXP Public Web URL.

Security Warning:

When your IP Whitelist is empty, SocketXP by default will permit all accesses to your webservice from the internet(and not deny all accesses to it). Just to be explicit and clear. So when you delete the last IP address from your IP whitelist, don't falsely assume that SocketXP will now deny all accesses to your web service. Instead, SocketXP will permit all accesses, originating from any internet public IP address, to your webservice. This is the default behavior of SocketXP IP Whitelist feature.

# IP Prefix:

If you want to add only a single public IP, say 10.1.1.1, to the IP Whitelist then you could simply convert into a prefix format as 10.1.1.1/32. If you want to add a network of public IP, say 10.1.1.0, to the IP Whitelist, then you could convert it into the prefix format as 10.1.1.0/24. The number following the / is called the Subnet Mask.

# Best Practice:

We highly recommend that your web service implementation has a HTTP login/password or bearer token based authentication implemented using the HTTP authentication header to securely access your web service. This ability adds an additional layer of security when exposing your web service via SocketXP Public Web URL.