Github signature not required for setting up a webhook

aspnet / WebHooks

[Archived] Libraries to create and consume web hooks on ASP.NET Core. Project moved to https://github.com/aspnet/AspLabs

Apache License 2.0

627 stars 439 forks source link

Github signature not required for setting up a webhook #263

Closed WestDiscGolf closed 6 years ago

WestDiscGolf commented 6 years ago

Question: As part of the Webhooks specification on https://developer.github.com/webhooks/securing/ it does not specify you have to use a secret value. The GithubWebhook implementation expects the signature header to exist. Are there any plans to support insecure hooks or is it expecting if using the aspnet webhook the setup has to have a secret key?

Just want clarification before I spend time looking at potential options and sending a PR :-)

dougbu commented 6 years ago

There are no plans to support insecure requests. Further, all WebHooks receivers require a secret key (or similar configuration) and use it to confirm requests came from the intended sender.

WestDiscGolf commented 6 years ago

No problem, good to know.