Hello, I'm looking for guidance on how to secure a webhook endpoint. We've added one triggering on order cancellation.
Currently the endpoint is completely open to the web, but obviously we'd like to secure it so only requests coming from Shopify are valid. However when I'm looking at the request object (headers), nothing is jumping out at me. "Origin" is not provided (so I think whitelisting origins through CORS is not a possibility), and I read in another post you don't recommend whitelisting IPs.
Through what information contained in your request do you recommend we use so we know that the request is coming from you, Shopify?