diff --git a/internal/handlers/webhook.go b/internal/handlers/webhook.go
index 0912454..fbc1e26 100644
--- a/internal/handlers/webhook.go
+++ b/internal/handlers/webhook.go
@@ -15,8 +15,15 @@ const (
 )
 
 // HandleWebhook handles incoming webhook requests at entrypoint URLs.
+// Only POST requests are accepted; all other methods return 405 Method Not Allowed.
 func (h *Handlers) HandleWebhook() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodPost {
+			w.Header().Set("Allow", "POST")
+			http.Error(w, "Method Not Allowed", http.StatusMethodNotAllowed)
+			return
+		}
+
 		entrypointUUID := chi.URLParam(r, "uuid")
 		if entrypointUUID == "" {
 			http.NotFound(w, r)
diff --git a/internal/server/routes.go b/internal/server/routes.go
index 457b570..d0c1773 100644
--- a/internal/server/routes.go
+++ b/internal/server/routes.go
@@ -109,6 +109,8 @@ func (s *Server) SetupRoutes() {
 		r.Post("/targets", s.h.HandleTargetCreate())         // Add target
 	})
 
-	// Entrypoint endpoint - accepts incoming webhook POST requests
+	// Entrypoint endpoint — accepts incoming webhook POST requests only.
+	// Using HandleFunc so the handler itself can return 405 for non-POST
+	// methods (chi's Method routing returns 405 without Allow header).
 	s.router.HandleFunc("/webhook/{uuid}", s.h.HandleWebhook())
 }