As a Roblox developer, there is no way to verify Roblox HttpService requests actually came from Roblox.
As of right now, there is no way of verifying a HttpService request actually came from a Roblox server. The most a developer can do is check if the “Roblox-Id” header exists (easily spoofed), or checking the requesting IP address to see if it matches a Roblox IP range (also can constantly break if Roblox buys new servers or something changes internally)
A better way of doing this is for HttpService requests to have a custom header - we will call it Roblox-Verification for now - where the value will be a RSA signature of the current Roblox-Id header concatenated with some sort of time based value. (I originally was going to use the unix timestamp, but latency issues might result because of that)
A server can then verify the signature to check if it is a legitimate Roblox server or not. Of course, there are issues with this, (replay attacks, timing issues as I stated earlier, the Roblox-Id header being bruteforcable, etc) - but as a general idea its pretty solid.
I made some PHP psuedocode implementing this, if you would like to see:
A similar idea was discussed back in 2015 which had a different system of a shared key, but it never really gained very much traction. If we were going to go with a shared key system, we could also use HMAC to verify that aswell. In short - a better way of verifying the authenticity of HttpService requests is needed.