From 8e531fba54e0e0c011fba8581ad63797d4385751 Mon Sep 17 00:00:00 2001
From: Philip de Nier <philip.denier@bbc.co.uk>
Date: Thu, 2 May 2024 17:04:47 +0100
Subject: [PATCH] reviewcomment: add webhook spoofing comment

Co-authored-by: Sam Mesterton-Gibbons <sam.mesterton-gibbons@bbc.co.uk>
---
 api/TimeAddressableMediaStore.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/TimeAddressableMediaStore.yaml b/api/TimeAddressableMediaStore.yaml
index bfcaecd..e1f9712 100644
--- a/api/TimeAddressableMediaStore.yaml
+++ b/api/TimeAddressableMediaStore.yaml
@@ -170,7 +170,7 @@ paths:
         of `events` SHOULD update the existing registration. POSTing an empty list of events SHOULD remove the
         registration.
 
-        HTTP requests from the service SHOULD include a `api_key_name` header with the 'api_key_value' value.
+        HTTP requests from the service SHOULD include a `api_key_name` header with the 'api_key_value' value. Clients SHOULD verify this against the value they provided when registering the webhook.
 
         API implementations SHOULD consider the security implementations of providing webhooks, and include appropriate
         mitigations against Server Side Request Forgery (SSRF) attacks and similar.