firecrawl · firecrawl-spring · Jan 15, 2026
diff --git a/features/batch-scrape.mdx b/features/batch-scrape.mdx
@@ -78,8 +78,6 @@ You can configure webhooks to receive real-time notifications as each URL in you
 
 <BatchScrapeWebhookCURL />
 
-For comprehensive webhook documentation including event types, payload structure, and implementation examples, see the [Webhooks documentation](/webhooks/overview).
-
 ### Quick Reference
 
 **Event Types:**
@@ -102,7 +100,23 @@ For comprehensive webhook documentation including event types, payload structure
 }
 ```
 
-<Note>
-  For detailed webhook configuration, security best practices, and
-  troubleshooting, visit the [Webhooks documentation](/webhooks/overview).
-</Note>
+### Security: Verifying Webhook Signatures
+
+Every webhook request from Firecrawl includes an `X-Firecrawl-Signature` header containing an HMAC-SHA256 signature. **Always verify this signature** to ensure the webhook is authentic and hasn't been tampered with.
+
+**How it works:**
+
+1. Get your webhook secret from the [Advanced tab](https://www.firecrawl.dev/app/settings?tab=advanced) of your account settings
+2. Extract the signature from the `X-Firecrawl-Signature` header
+3. Compute HMAC-SHA256 of the raw request body using your secret
+4. Compare with the signature header using a timing-safe function
+
+<Warning>
+  Never process a webhook without verifying its signature first. The `X-Firecrawl-Signature` header contains the signature in the format: `sha256=abc123def456...`
+</Warning>
+
+For complete implementation examples in JavaScript and Python, see the [Webhook Security documentation](/webhooks/security).
+
+### Full Documentation
+
+For comprehensive webhook documentation including detailed event payloads, advanced configuration, and troubleshooting, see the [Webhooks documentation](/webhooks/overview).
diff --git a/features/crawl.mdx b/features/crawl.mdx
@@ -214,8 +214,6 @@ You can configure webhooks to receive real-time notifications as your crawl prog
 
 <CrawlWebhookCURL />
 
-For comprehensive webhook documentation including event types, payload structure, and implementation examples, see the [Webhooks documentation](/webhooks/overview).
-
 ### Quick Reference
 
 **Event Types:**
@@ -238,7 +236,23 @@ For comprehensive webhook documentation including event types, payload structure
 }
 ```
 
-<Note>
-  For detailed webhook configuration, security best practices, and
-  troubleshooting, visit the [Webhooks documentation](/webhooks/overview).
-</Note>
+### Security: Verifying Webhook Signatures
+
+Every webhook request from Firecrawl includes an `X-Firecrawl-Signature` header containing an HMAC-SHA256 signature. **Always verify this signature** to ensure the webhook is authentic and hasn't been tampered with.
+
+**How it works:**
+
+1. Get your webhook secret from the [Advanced tab](https://www.firecrawl.dev/app/settings?tab=advanced) of your account settings
+2. Extract the signature from the `X-Firecrawl-Signature` header
+3. Compute HMAC-SHA256 of the raw request body using your secret
+4. Compare with the signature header using a timing-safe function
+
+<Warning>
+  Never process a webhook without verifying its signature first. The `X-Firecrawl-Signature` header contains the signature in the format: `sha256=abc123def456...`
+</Warning>
+
+For complete implementation examples in JavaScript and Python, see the [Webhook Security documentation](/webhooks/security).
+
+### Full Documentation
+
+For comprehensive webhook documentation including detailed event payloads, payload structure, advanced configuration, and troubleshooting, see the [Webhooks documentation](/webhooks/overview).