Securing your webhooks - GitHub Docs says “only way to have privileged data in a webhook is Github will deliver a sha256 hash of a single pregenerated secret random string to your endpoint in a HTTP header”.
Im not interested in using SHA256 or loading a crypto lib inside my endpoint server that a webhook calls. Perhaps my endpoint URL doesn’t even know what github or a push is. Its just a URL to call (and ignores GET vs POST). If someone forks my repo, by git protocol to my repo, or Github Web UI fork, do they see the plaintext URLs of all the webhooks, or are the webhooks stripped during the Github Web UI fork?
Can webhook URLs have API keys in them?