You really want to get this right @3rdIris... public or private, all your HTTP traffic is sniffable along the way, so you really do want to decode the token Shopify embeds in the header to prove the call comes from Shopify. Making up a crazy URL is not secure since anyone can POST to that URL anything they want and it is clearly viewed and not hidden. You'd never know it was bad data hitting you either.
The recipes to decode the token are numerous and cover most popular scripting languages. It should take no more than 5 minutes to copy & paste the appropriate one and thus be a little more secure in your operations.