I've already opened up some issues[1]. What you point to is what I mean, in addition a reverse IP lookup is also useful to tighten security a bit [2], but it's not mandatory. Specifying a secret is IMO the easiest way to have some peace of mind when it comes to accepting hooks. Regarding the API, I mainly found the documentation more difficult to navigate. There doesn't seem a section specifically for gitlab.com, so I just have to assume that 'community edition' applies there. I haven't found a place where the API endpoint for a gitlab.com profile is described, just took a bit of trial and error - and whatever isn't documented for an API I don't like to rely on.
You're welcome, and I appreciate the response. I forgot something btw., which is actually the biggest issue I had so far: We were affected by some variant of [1].
Regarding documentation, how about referencing 'gitlab.com' on the following top level selection? [2] You could add a new box linking to the EE documentation. That was the first place where I was looking and made me stumble.
[1] https://gitlab.com/gitlab-org/gitlab-ce/issues?scope=all&sor...
[2] https://developer.github.com/v3/meta/