12

I'm trying to figure out how to secure a webhook reciever for a github service hook.

In the github manual pages, when you look in the section on what IP addresses github hooks will come from, it has this warning:

"We highly recommend that you don't white list IPs for Service Hooks. Instead, setup HTTPS and basic authentication to verify incoming requests."

In the documentation on post receive hooks I don't see any way to set up basic authentication.

How can I use basic authentication with github post-recieve/service/web hook that notifies me of a commit to a repository?

Brian Tingle
  • 981
  • 11
  • 23
  • superset question: how to do authenticated webhooks: http://stackoverflow.com/questions/9007030/how-to-verify-a-post-receive-hook-request-actually-came-from-github – Ciro Santilli OurBigBook.com Aug 05 '14 at 20:03
  • I saw that too; but the accepted answer is exactly what the quote above from github says NOT to do. All the answers on that page seem sort of hokey, except for http://stackoverflow.com/a/20856954/1763984 which didn't used to be there (and I just upvoted it) – Brian Tingle Aug 05 '14 at 20:12

1 Answers1

18

I think you can just use

https://yourUser:yourSecret@yoursite.net/path

like in any basic auth situation.

I will give it a try tomorrow, too :) https://github.com/blog/237-basic-auth-post-receives

Ax3l
  • 1,529
  • 12
  • 20
  • I just tried it right now: Go to your Repository->Settings->Service Hooks and use the syntax above in your WebhookUrl :) – Ax3l Aug 26 '13 at 20:04