What is a Webhook Signing Secret?

Webhooks are like callback events. Basically when something happens on Stripe's side (eg a new customer created, a trial subscription cancelled, etc.) your application can get notified as well and take the appropriate action.

They're less useful when your application controls that entire process but in the case of subscriptions, let's say the customer's card declines after month 2. You definitely want to get notified when that happens and take the appropriate action since Stripe is taking care of those payments.

A webhook signing secret is optional but it's basically a signature for verifying that whatever webhook Stripe is sending is legit. Stripe uses a secret key that Commerce can use to verify that Stripe was the really author of that webhook call which can help prevent things like replay attacks.

It's less useful in the case of smaller applications but if you're building something with Stripe Connect where multiple users can authenticate, get payouts, etc. it becomes essential.

In the case of security, nothing is ever binary. Much like CSRF protection, you want layers of an onion and signing secrets provide another layer of protection.