benfrancis
commented
1 year ago Note: In the W3C WebSub specification, a hub verifies the intent of a Webhook subscriber by sending a special GET request to the subscriber-provided callback URL which contains a randomly generated string which the subscriber must echo back with a 2xx success response code and the string in its body.
Because Webhooks involve a Thing sending (potentially a very large number of) HTTP requests to a Consumer, there's a risk that they can be abused, e.g. to launch a denial-of-service attack on an unsuspecting web server.
For inspiration, CloudEvents specifies a mechanism by which a web server can signal that it accepts event notifications (and at what rate) using HTTP headers.