Why do I need to whitelist Apple IP addresses on server

Hi all,

I'm in the process of configuring Apple Pay for payments on an ecommerce site and I've come across the following documentation: Setting Up Your Server | Apple Developer Documentation

It mentions the following in a yellow highlighted note

Use a strict allow list for Apple IP addresses and domains provided in Listing 1. Do not allow your server to access any other IP addresses or domains.

My first question is why does my server need to set a strict allowed list when the domain name apple-pay-gateway.apple.com is publicly accessible?

My second question is that my web server is hosted on Vercel and I assume that there are no IP restrictions on any outbound requests. If there were restrictions where would I apply this whitelisting?

Thanks for your help.

1: accessing other websites and other network services can be leveraged by an adversary for command and control or for data exfiltration during a breach. (And some of the other apps and tools that can be involved with those other ports and services can themselves be vulnerable to exploits and a potential means of ingress.)

2: You’ll need to discuss that with Vercel support. Depending on the current hosting details, you may be headed for a dedicated host, which is prob preferable here anyway.

Why do I need to whitelist Apple IP addresses on server
 
 
Q