From ca3f79f3407255f618c480ae99b706c4e7d100ae Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc Date: Tue, 3 Dec 2024 03:54:53 -0600 Subject: [PATCH] Update best-practices-for-using-webhooks.md (#53195) Co-authored-by: David Staheli <1767415+davidstaheli@users.noreply.github.com> Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com> --- .../using-webhooks/best-practices-for-using-webhooks.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/content/webhooks/using-webhooks/best-practices-for-using-webhooks.md b/content/webhooks/using-webhooks/best-practices-for-using-webhooks.md index 26a4df698dc1..4e11d0f5969d 100644 --- a/content/webhooks/using-webhooks/best-practices-for-using-webhooks.md +++ b/content/webhooks/using-webhooks/best-practices-for-using-webhooks.md @@ -16,7 +16,9 @@ You should only subscribe to the webhook events that you need. This will reduce ## Use a webhook secret -You should set a webhook secret for your webhook and verify that the signature of each webhook delivery matches the secret. This helps to ensure that the webhook delivery is from {% data variables.product.company_short %}. For more information, see "[AUTOTITLE](/webhooks/using-webhooks/securing-your-webhooks)." +> [!WARNING] +> To avoid accidental exposure of sensitive information, do **not** include sensitive information in your payload URL. +> This includes your own API keys and other authentication credentials. Instead, to validate that webhook deliveries were sent by {% data variables.product.github %} and have not been tampered with, use a webhook secret. For more information, see "[AUTOTITLE](/webhooks/using-webhooks/validating-webhook-deliveries)." The webhook secret should be a random string of text with high entropy. You should securely store your webhook secret in a way that your server can access.