How to Secure and Verify GitHub Webhooks with Hookdeck

Author picture Rodriq Jaro

How to Secure and Verify GitHub Webhooks with Hookdeck

Published


Webhook security and verification are critical components in assuring the security and integrity of your application. GitHub webhooks are no exception. If these webhooks are not properly secured, they can be vulnerable to security threats such as fraud, replay attacks, man-in-the-middle attacks, and unauthorized access. Learn more about webhook security here.

As a developer, dealing with each platform’s webhook security implementation often leads to a lot of maintenance issues, especially when having to add and manage new providers. Hookdeck removes this layer of complexity by letting you manage all of them using Integrations, and then you only have to implement Hookdeck’s signature verification on your server(s).

In this article, I will provide a step-by-step guide on how to set up and configure your GitHub webhooks manually and with Hookdeck. By the end of this article, you will have a comprehensive understanding of how Hookdeck can help secure your GitHub webhooks and protect you from potential security threats.

How to manually secure GitHub webhooks

To manually secure your GitHub webhooks, you are required to perform the following steps:

  1. Log into your GitHub account, navigate to the repository's webhook settings, and set a secret for the webhook in question.
  2. Store the secret securely as an environmental variable in your application.
  3. When the secret token is set, GitHub generates a hash signature with each payload using an HMAC hex digest and adds it in the headers of each request as x-hub-signature-256.
  4. Use your secret token and the payload body to compute a hash while making sure the hash signature starts with sha256=.
  5. Compare the estimated hash to the GitHub hash.
  6. Process the payload if they match.
  7. To compare the hash, use a constant time string comparison function, such as secure compare.
  8. Specify a character encoding, and make sure the payload is handled as UTF-8 depending on your implementation.

Learn more about securing GitHub webhooks here.

Verifying your webhooks this way guarantees security. However, these steps can present a whole new set of challenges, including implementation difficulties, compatibility issues, maintenance, and the possibility of errors throughout the validation process.

How to secure and verify GitHub webhooks with Hookdeck

To verify your GitHub webhook with Hookdeck:

  1. Create a Hookdeck connection with GitHub as the source and your application as the destination.
  2. Set a secret for your GitHub webhook and copy it.
  3. Navigate to **Integrations** from your Hookdeck dashboard.
  4. Select GitHub from the list of platforms.
  5. Fill in the Webhook Signing Secret as the secret set above.
  6. Select the GitHub source connection to secure.
  7. Confirm.

You can select multiple sources and secure them at once.

You now see the GitHub integration at the top of the integration page and the connection showing a green shield on the connection page.

Securing and Verifying GitHub webhooks with Hookdeck

Legitimate requests from GitHub will be received successfully with a 200 status code while any request without the secret is flagged with Failed verification and doesn’t make it to your destination.

GitHub failed verification

Hookdeck can be used to centralize all your webhook security and verification, making it easy for you to only sign Hookdeck on your server. See the guide here.

Conclusion

In this article, we have seen why it is important to secure and verify GitHub webhooks, how manual verification can be complicated to handle, and the ease of implementing with Hookdeck.

In conclusion, using Hookdeck simplifies and streamlines the process of verifying GitHub webhooks, making it easier and more secure for developers to integrate quickly. By leveraging Hookdeck's automated verification process, you can be confident that you are accurately receiving and responding to GitHub webhook events without having to manually perform the time-consuming and complex steps involved in manual verification.