Webhook - Security / URL Querystring

Greetings Team,

Setting up a Webhook, some more general questions:

Can the webhook URL contain a query string (assume: yes)?
When the payload is received, what is the best practice to determine that the POST is actually from "Maximizer"?
Once created, how to I confirm the response "Maximizer" is receiving?

Regarding number two (2) above; currently, our target API will send a HTTP response code of 401 or 403 if the request is not authenticated and authorized. We utilize HTTP headers which we can supply in the target definition; however, we also only allow whitelisted IP addresses, sub nets, or origins access.

Please advise on above, as answers determine if we need to edit our security procedures for Webhooks to be received.

As always, kind regards,

Joe