Skip to content

Webhook Secret #76

New issue
New issue
Open
Open
Webhook Secret#76
Labels
enhancementquestiontechnical
@nelsonic

Description

@nelsonic
nelsonic
opened on Mar 11, 2018

When creating a New GitHub Application via https://github.com/settings/apps/new
we are given the option to add a Webhook Secret:
image
While the Webhook Secret is "optional", I feel it would add good "security layer" to our app.
Otherwise anyone can "spoof" a webhook POST request to our app and make an "edit" to someone else's issue.

Yes, this would be "non-destructive" because the "single-source-of-truth" is still GitHub.
But if the person made multiple "malicious" edits they could create quite a lot of spam/noise.

I don't think we need to do this "urgently" while we are using the app internally,
but as soon as it's public we should consider adding this layer of protection.

How would this work in our Elixir/Phoenix App?
The ruby code in the docs: https://developer.github.com/webhooks/securing
should be fairly easy to "translate" to Elixir.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementquestiontechnical

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions