Therefore, a receiver is a POST handler. According to spec, we can
- return http code
201withLocationin header pointing to the status URL - return http code
202and asynchronously perform the verification - return http code
200and synchronously perform the verification (not recommended), by section 3.2.2Webmention verification should be handled asynchronously to prevent DoS (Denial of Service) attacks.
Verification
- The receiver must check that
sourceandtargetare valid URLs [URL] and are of schemes that are supported by the receiver. (Most commonly this means checking that thesourceandtargetschemes are http or https). - The receiver must reject the request if the
sourceURL is the same as thetargetURL. - The receiver should check that
targetis a valid resource for which it can accept Webmentions. This check should happen synchronously to reject invalid Webmentions before more in-depth verification begins. What a "valid resource" means is up to the receiver. For example, some receivers may accept Webmentions for multiple domains, others may accept Webmentions for only the same domain the endpoint is on.
If the receiver is going to use the Webmention in some way, (displaying it as a comment on a post, incrementing a like counter, notifying the author of a post), then it must perform an HTTP GET request on source, following any HTTP redirects (and should limit the number of redirects it follows) to confirm that it actually mentions the target. The receiver should include an HTTP Accept header indicating its preference of content types that are acceptable.
Error response
If the Webmention was not successful because of something the sender did, it must return a 400 Bad Request status code and may include a description of the error in the response body.