Your webhooks must be hosted on a public HTTPS server that has a valid SSL certificate. Self-signed certificates aren’t supported. The Secure Edge Portal verifies that the webhook intends to receive notifications at that URL and uses the webhook to send notification only after verification.
To ensure that the requests you’re getting at your webhook endpoint are actually coming from us, webhook notifications from Secure Edge include a signature in each notification’s header. Your webhook endpoint can verify this signature to validate the integrity and origin of the payload. See Verifying webhook signature for more information about the webhook signature.
In addition, we send webhook notifications only from the following two IP addresses: 54.69.9.243 and 52.34.135.74. You can increase security by whitelisting webhook calls from these IP addresses only.