These callbacks may be maintained, modified, and managed by third-party users who need not be affiliated with the originating website or application.
[6] When that event occurs, the source site makes an HTTP request to the URL configured for the webhook.
[9] When the client (the originating website or application) makes a webhook call to the third-party user's server, the incoming POST request should be authenticated to avoid a spoofing attack and its timestamp verified to avoid a replay attack.
[10] Different techniques to authenticate the client are used: The sender may choose to keep a constant list of IP addresses from which requests will be sent.
This is not a sufficient security measure on its own, but it is useful for when the receiving endpoint is behind a firewall or NAT.