I'm trying to figure out how to secure a webhook reciever for a github service hook.
In the github manual pages, when you look in the section on what IP addresses github hooks will come from, it has this warning:
"We highly recommend that you don't white list IPs for Service Hooks. Instead, setup HTTPS and basic authentication to verify incoming requests."
In the documentation on post receive hooks I don't see any way to set up basic authentication.
How can I use basic authentication with github post-recieve/service/web hook that notifies me of a commit to a repository?
Webhooks support two types of authentication: basic and bearer token. Both types of authentication should only be used over HTTPS (TLS). Although not recommended, it's also possible to create a webhook without authentication. To do this, omit the authentication property from the request.
Webhooks allow you to build or set up integrations, such as GitHub Apps or OAuth Apps, which subscribe to certain events on GitHub.com. When one of those events is triggered, we'll send a HTTP POST payload to the webhook's configured URL.
The unique webhook URL is secret. The webhook only accepts data, and thus alone cannot expose sensitive data to third parties.
I think you can just use
https://yourUser:[email protected]/path
like in any basic auth situation.
I will give it a try tomorrow, too :) https://github.com/blog/237-basic-auth-post-receives
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With