It occurs to me that we ought to take a pass through the web profile to ensure that we have sensible baseline standards in place for the security of webhook receptors, e.g., ensuring that the enforcing authenticity checks is enforced when requesting confidential information or initiating a transaction that should only be allowed when originating from an authorized party.

See for reference: https://developer.amazon.com/en-US/docs/alexa/custom-skills/security-testing-for-an-alexa-skill.html