Zoom Apps Configuration
-
Frontend: React 19 / Zoom Apps SDK
-
Backend: Java 21 / Spring Boot 4.0
-
Web Server / Reverse Proxy: Nginx (Listening on port 443 with SSL)
-
Environment: On-premises corporate data center behind a strict firewall
Description We are currently managing a custom Zoom In-App called “ZiWorks” for our organization. Recently, we experienced server sluggishness, and our network infrastructure team proposed restricting our corporate firewall’s Inbound ACL to allow ONLY official Zoom Outbound IP ranges, while blocking all other public IPs to prevent users from bypassing the Zoom Client and accessing our URL directly via standard web browsers (Chrome/Edge).
However, I understand that the Zoom Client operates as an embedded WebView running locally on the user’s PC. This implies that the HTTP/HTTPS requests originate from the user’s actual public IP, not from Zoom’s servers.
To resolve our internal technical debate and establish correct security guidelines, I would like to clarify:
-
Does the incoming HTTP traffic hitting our web server from the Zoom In-App originate from the user’s actual public IP or Zoom’s official IP ranges?
-
If we restrict our firewall to allow ONLY official Zoom IP ranges, will it completely block our users from accessing the Zoom In-App service?
-
What is the recommended best practice to prevent users from bypassing the Zoom Client? Should we validate the
X-Zoom-App-Contextheader in Spring Boot, or useUser-Agentfiltering in Nginx?
Error? No explicit error message yet, but we are facing a structural conflict regarding firewall implementation that might lead to a complete service outage.
Troubleshooting Routes We analyzed our Zoom Marketplace Admin Dashboard (Webhooks & Server-to-Server API logs) and confirmed that current logs (sendMessage, /v2/users/*) are strictly outbound requests initiated from our server to Zoom, which does not provide evidence for inbound user routing.
How To Reproduce N/A (Architecture and security configuration inquiry)