When creating a New GitHub Application via https://github.com/settings/apps/new
we are given the option to add a Webhook Secret:
While the Webhook Secret is "optional", I feel it would add good "security layer" to our app.
Otherwise anyone can "spoof" a webhook POST request to our app and make an "edit" to someone else's issue.
Yes, this would be "non-destructive" because the "single-source-of-truth" is still GitHub.
But if the person made multiple "malicious" edits they could create quite a lot of spam/noise.
I don't think we need to do this "urgently" while we are using the app internally,
but as soon as it's public we should consider adding this layer of protection.
When creating a New GitHub Application via https://github.com/settings/apps/new we are given the option to add a
While the
Webhook Secret
:Webhook Secret
is "optional", I feel it would add good "security layer" to our app. Otherwise anyone can "spoof" a webhookPOST
request to our app and make an "edit" to someone else's issue.I don't think we need to do this "urgently" while we are using the app internally, but as soon as it's
public
we should consider adding this layer of protection.How would this work in our Elixir/Phoenix App? The
ruby
code in the docs: https://developer.github.com/webhooks/securing should be fairly easy to "translate" to Elixir.