github service hook and basic authentication

12
votes

I'm trying to figure out how to secure a webhook reciever for a github service hook.

In the github manual pages, when you look in the section on what IP addresses github hooks will come from, it has this warning:

"We highly recommend that you don't white list IPs for Service Hooks. Instead, setup HTTPS and basic authentication to verify incoming requests."

In the documentation on post receive hooks I don't see any way to set up basic authentication.

How can I use basic authentication with github post-recieve/service/web hook that notifies me of a commit to a repository?

1
githubwebhooksgit-post-receive
superset question: how to do authenticated webhooks: stackoverflow.com/questions/9007030/…Ciro Santilli 新疆再教育营六四事件法轮功郝海东
I saw that too; but the accepted answer is exactly what the quote above from github says NOT to do. All the answers on that page seem sort of hokey, except for stackoverflow.com/a/20856954/1763984 which didn't used to be there (and I just upvoted it)Brian Tingle

1 Answers

18
votes

I think you can just use

https://yourUser:[email protected]/path

like in any basic auth situation.

I will give it a try tomorrow, too :) https://github.com/blog/237-basic-auth-post-receives