We built a secure webhooks service by implementing multiple layers of defense to protect against server-side request forgery (SSRF), mitigating webhook SSRF's through strict URL validation, DNS resolution tests, and egress rules that limit HTTP connections. We also implemented rate limiting, uniqueness/locking, isolated infrastructure, set strict timeouts, and limited the number of webhooks to prevent abuse and ensure the reliability of our systems.