diff --git a/lib/stripe/webhook.rb b/lib/stripe/webhook.rb
index 3c2d6ff1..966b3fa2 100644
--- a/lib/stripe/webhook.rb
+++ b/lib/stripe/webhook.rb
@@ -9,6 +9,11 @@ module Stripe
     def self.construct_event(payload, sig_header, secret, tolerance: DEFAULT_TOLERANCE)
       Signature.verify_header(payload, sig_header, secret, tolerance: tolerance)
 
+      # It's a good idea to parse the payload only after verifying it. We use
+      # `symbolize_names` so it would otherwise be technically possible to
+      # flood a target's memory if they were on an older version of Ruby that
+      # doesn't GC symbols. It also decreases the likelihood that we receive a
+      # bad payload that fails to parse and throws an exception.
       data = JSON.parse(payload, symbolize_names: true)
       Event.construct_from(data)
     end