The endpoint that receives webhooks is publicly accessible by definition. Most webhook implementations skip the security checks that make them trustworthy.
The complete security pattern: verify the HMAC-SHA256 signature on every incoming webhook before processing. Without this, any attacker can send arbitrary data to your endpoint.
Validate the event type explicitly. Respond 200 immediately and process asynchronously — webhook providers retry on non-200, so processing that takes too long causes duplicate delivery.
Implement idempotency. Webhooks are delivered at-least-once, not exactly-once. Your handler will receive duplicates. Make it safe to call multiple times with the same event.
— Dick Bassey | DevDick | 2023