Are webhook URLs secure/secret API keys?

Securing your webhooks - GitHub Docs says “only way to have privileged data in a webhook is Github will deliver a sha256 hash of a single pregenerated secret random string to your endpoint in a HTTP header”.

Im not interested in using SHA256 or loading a crypto lib inside my endpoint server that a webhook calls. Perhaps my endpoint URL doesn’t even know what github or a push is. Its just a URL to call (and ignores GET vs POST). If someone forks my repo, by git protocol to my repo, or Github Web UI fork, do they see the plaintext URLs of all the webhooks, or are the webhooks stripped during the Github Web UI fork?

Can webhook URLs have API keys in them?

As far as I know, You can set webhook URLs to anything you want. So for example, you could set it to https://my-app.com/github/ghp_mypersonalaccesstokenhere or https://my-app.com/github?token=ghp_mypersonalaccesstokenhere

When someone forks your repository, they will not get your webhooks URL. It is not exposed at any place.

But there are other ways a URL can leak that is outside of GitHub’s control. It’s good practice to verify the payload as a security measurement.

I’m curious: why don’t you want to load a crypto lib inside your server?

1 Like