Webhook Security

Webhooks are event callbacks over HTTP — and every one is an unauthenticated POST that a bad actor can forge, replay, or point at your own internal network. HMAC signature bypass (three ways), replay attacks against "verified" events, SSRF through delivery URL registration, and the baseline that shuts them all down.