Whitelisting IP Addresses of Senders Through the Gateway

When using the PCI Booking Gateway, you will be receiving requests from third parties forwarded to you from PCI Booking. The standard method of whitelisting IP address of the senders will not work as, from your server's perspective, the sender of all requests will be the PCI Booking servers and not the original sender.

While PCI booking does not offer whitelisting of IP addresses within the gateway - we will pass through any request that reaches our servers to the target URL - we provide information regarding the original sender and the PCI Booking servers so that you can perform whitelisting on your end.

When a request reaches your servers from the PCI Booking Gateway, it will contain a special header called X-Forwarded-For. This header will contain a list of multiple IP addresses (at least two) where the first IP address is that of the original sender of the request and the last IP address is that of PCI Booking's web server which forwarded the request to you.
In between, there may be several more IP addresses - those are PCI booking's internal IP addresses and can be ignored.

Below is an example of a request received from the PCI Booking Gateway:

Accept: */*
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
Content-Length: 347
Content-Type: application/xml
Host: api.runscope.com
User-Agent: PostmanRuntime/7.4.0
X-Amzn-Trace-Id: Root=1-5c2a3e7f-534419405f0a9800b1ba9920
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Protocol: https
X-Forwarded-Ssl: on
X-Pcibooking-Tokenization-Warnings: [1005] Card type is missing
X-Token: https://service.pcibooking.net/api/payments/paycard/c8882c7d3b6a433f91d64cb21eb70d0a


In this example:

  • The IP address is the original sender's IP
  • The IP address is a PCI Booking internal IP address
  • The IP address is the external IP address of the PCI Booking web server.

When you set up whitelisting on your servers, you will need to accept all requests where the last IP address in the X-Forwarded-For is one of PCI Booking's (Please contact our support team for the most up-to-date list of IP addresses).
Then you can set up filtering - similar to what you have had in the past before using PCI Booking - to check the first IP address in the list which is the IP address of the original sender.