...
Use HTTPS protocol for your hook endpoints
Store your hook secret securely
You can also roll hook secrets periodically
If your hook secret was compromised, regenerate the secret and use only the new secret to verify the signature
Do not accept webhook requests with invalid signature
Do not accept webhook requests with too old timestamp in Signature header
Optionally, you can also set up IP address whitelist and verify request originator IP address.
For production environment, our IP address is 35.189.196.34
For staging environment (used only in special cases upon agreement with client), our IP address is 34.79.17.248