From 595076ae5462219513ee5a7c8bf696b0f6980ecd Mon Sep 17 00:00:00 2001
From: AJ ONeal <coolaj86@gmail.com>
Date: Sat, 16 Oct 2021 17:04:23 -0600
Subject: [PATCH] docs: add notes on webhook and email address security

---
 README.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/README.md b/README.md
index 0672535..a2b4844 100644
--- a/README.md
+++ b/README.md
@@ -85,6 +85,23 @@ Webhooks can be set up in the Application section of the Dashboard:
 
 You'll see a list of applications. Click on one to access the webhooks.
 
+**Security**: You must put a `secret` or `token` or your webhook URLs - PayPal
+provides no measure of authentication (and otherwise an attacker could just send
+random crap to your webhooks making it look like they've paid for all sorts of
+things).
+
+# Security
+
+#### User email addresses
+
+Emails addresses available through the PayPal Checkout API guaranteed to have
+been verified by PayPal.
+
+See:
+
+- [Is `resource.subscriber.email_address` verified by PayPal?](https://twitter.com/paypaldev/status/1448238655743488008)
+- [How do I receive money through PayPal?](https://www.paypal.com/us/smarthelp/article/how-do-i-receive-money-through-paypal-faq1750)
+
 # Notes
 
 Note: Just about everything in the PayPal SDK that uses `ALL_CAPS` is a