From 904f478c0914c4b0587f9b0811e3c62ed39fac72 Mon Sep 17 00:00:00 2001
From: "firecrawl-spring[bot]"
 <254786068+firecrawl-spring[bot]@users.noreply.github.com>
Date: Tue, 31 Mar 2026 15:03:07 +0000
Subject: [PATCH] docs: consolidate best practices into scannable list

Replace three thin H3 subsections with a single bulleted list.
Removes a redundant code snippet already covered by the full
implementation examples above.

Co-Authored-By: micahstairs <micah@sideguide.dev>
---
 webhooks/security.mdx | 24 +++---------------------
 1 file changed, 3 insertions(+), 21 deletions(-)

diff --git a/webhooks/security.mdx b/webhooks/security.mdx
index 34d938914..fdeb35239 100644
--- a/webhooks/security.mdx
+++ b/webhooks/security.mdx
@@ -46,24 +46,6 @@ X-Firecrawl-Signature: sha256=abc123def456...
 
 ## Best Practices
 
-### Always Verify Signatures
-
-Never process a webhook without verifying its signature first:
-
-```javascript
-app.post('/webhook', (req, res) => {
-  if (!verifySignature(req)) {
-    return res.status(401).send('Unauthorized');
-  }
-  processWebhook(req.body);
-  res.status(200).send('OK');
-});
-```
-
-### Use Timing-Safe Comparisons
-
-Standard string comparison can leak timing information. Use `crypto.timingSafeEqual()` in Node.js or `hmac.compare_digest()` in Python.
-
-### Use HTTPS
-
-Always use HTTPS for your webhook endpoint to ensure payloads are encrypted in transit.
+- **Verify every request.** Always check the signature before processing a webhook payload. Reject any request that fails verification with a `401` status.
+- **Use timing-safe comparisons.** Standard string comparison can leak timing information. Use `crypto.timingSafeEqual()` in Node.js or `hmac.compare_digest()` in Python.
+- **Serve your endpoint over HTTPS.** This ensures webhook payloads are encrypted in transit.