It is important for event sources to properly authorize requests. This is especially true for Subscribe requests, as otherwise the ability to subscribe on behalf of a third-party event sink could be used to create a distributed denial-of-service attack.
Some possible schemes for validating Subscribe requests include:

• Send a message to the event sink that describes the requested subscription, and then wait for a confirmation message to be returned by the event sink, before the event source accepts the subscription request. While this provides strong assurance that the event sink actually desires the requested subscription, it does not work for event sinks that are not capable of sending a confirmation, and requires additional logic on the event sink.

• Require user authentication on the Subscribe request, and allow only authorized users to Subscribe.

Other mechanisms are also possible. Note that event sources that are not reachable from the Internet have less need to control Subscribe requests.