Menu
Github offers a way to let a URL know when a project has been updated using webhooks.
How do I verify that a post sent to my server's post-receive hook actually came from github?
Should I check the IP address of the sender or can I send an auth check somewhere? I want to make sure someone doesn't try to spoof a request pretending to be from github.
One option is to setup the hook through PubSubHubbub and use the hub.secret option to create a SHA1 HMAC signature of the post body. However, that would require my server setting up the request rather than waiting for users to setup the post-receive callback to my site when they want to. I would rather just ask users to paste the URL I give them into the post url.
206
You can ping GitHub's Meta API to get an array of IP addresses (in CIDR notation) that the incoming service hooks will originate from and cross check them against the request's IP :
https://api.github.com/meta
177
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
