In case anyone else finds this post, and is not using atlassian-connect-spring-boot (which I have no experience with)
This has been discussed in the community before - at least in the context of vendors who are not using atlassian-connect-spring-boot.
Some ideas people are using:
- verify that the installation request is coming from Atlassian IP range: https://ip-ranges.atlassian.com/
- verify that a JWT generated from the shared secret can make a successful authenticated request to the host. (Note if you use this method, you must also verify that the host is an Atlassian.net, atlassian.com, or jira.com) domain.
See here for a previous discussion on the topic: Jira Connect App Installation handshake - Security Context