At 10:32 WIB, as part of a scheduled security enhancement to further protect Xendit's infrastructure, a new configuration was implemented within our WAF environment.
The updated configuration unintentionally flagged a subset of legitimate merchant API traffic. Consequently, instead of receiving the expected 200 OK response, affected requests were presented with a security challenge. This disrupted automated flows for integrations expecting a standard API response.
Our engineering and security teams identified the misclassification and refined the security rules to ensure legitimate traffic is correctly identified. System behavior was fully restored to normal at 15:13 WIB.
This incident impacted a small minority of unique merchant IPs. Most of Xendit's merchants should not not experience any disruption during this timeframe.
We have verified that all traffic flows have returned to normal. We are continuing to monitor the environment to ensure ongoing stability.
We apologize for any disruption this security update may have caused to your operations.