How to verify a post-receive hook request actually came from github?

Question

Github offers a way to let a URL know when a project has been updated using webhooks.

How do I verify that a post sent to my server\'s post-receive hook act

Answer 1

You could locate your webhook at a hard-to-guess URL. Say:

https://my-host.com/webhooks/E36006BE2C4BABDEEF307C77E34F415B/my-hook

(That's 128-bits of random data - increase to whatever size feels comfortable). Assuming you can trust github to keep this url secure, it's pretty likely that a client hitting that url can be trusted.

If the url should ever be compromised, it's a simple matter to just generate a new random URL and update your webserver.

Just make sure you're using a good source of entropy...