Pingback Permitted From
Secure your Pingbacks
Pingback lets sites notify each other about links – but anyone can fake a notification claiming to be from your domain. PPF fixes this with a simple DNS record that declares which servers are authorised to send Pingbacks on your behalf.
Add a TXT record to your DNS
_pingback.example.com. IN TXT "v=ppf1 a"
This is the simplest record for a typical self-hosted site. See the specification for other configurations, or the record generator to create one for your domain.
Stop amplification attacks
Without PPF, an attacker can send Pingbacks to thousands of servers claiming your domain as the source. All receivers simultaneously fetch from your server to verify, creating a distributed denial-of-service. PPF stops this at the DNS layer.
Block unauthorised notifications
Anyone can trigger Pingbacks pointing to legitimate URLs they didn't author, polluting receivers' notification streams. PPF ensures only authorised senders can notify on your behalf.
Proven approach
Email had the same problem – anyone could send messages claiming to be from any domain. DNS-based sender authorisation solved it, handling billions of queries daily since 2003. PPF applies that same battle-tested pattern to Pingback and Webmention.
How it works
When a server receives a Pingback claiming a source URL on your domain, it queries _pingback.yourdomain.com for a TXT record. If the sender's IP matches your policy, the Pingback proceeds to link verification. If not, it's rejected immediately – no HTTP request ever touches your server.