From 6c04104ce96c0206be023eeff63eea05525e1119 Mon Sep 17 00:00:00 2001 From: Kristian Date: Fri, 29 Jan 2021 09:37:23 -0800 Subject: [PATCH 1/2] Update securing-your-webhooks.md For example in C# you may need to use Encoding.UTF8.GetBytes(payload) instead of Encoding.ASCII.GetBytes(payload). Thanks. Cheers. --- content/developers/webhooks-and-events/securing-your-webhooks.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/developers/webhooks-and-events/securing-your-webhooks.md b/content/developers/webhooks-and-events/securing-your-webhooks.md index 8d9c3fea5c5e..985c814ef8f4 100644 --- a/content/developers/webhooks-and-events/securing-your-webhooks.md +++ b/content/developers/webhooks-and-events/securing-your-webhooks.md @@ -42,6 +42,7 @@ When your secret token is set, {% data variables.product.product_name %} uses it {% note %} **Note:** For backward-compatibility, we also include the `X-Hub-Signature` header that is generated using the SHA-1 hash function. If possible, we recommend that you use the `X-Hub-Signature-256` header for improved security. The example below demonstrate using the `X-Hub-Signature-256` header. +**Note** The payload of the webhook may contain unicode characters. {% endnote %} {% endif %} From f69d036f65f591e544110b7452592ab480ac0b46 Mon Sep 17 00:00:00 2001 From: Lucas Costi Date: Wed, 10 Feb 2021 16:56:04 +1000 Subject: [PATCH 2/2] Move encoding note to after code example --- .../webhooks-and-events/securing-your-webhooks.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/content/developers/webhooks-and-events/securing-your-webhooks.md b/content/developers/webhooks-and-events/securing-your-webhooks.md index 985c814ef8f4..c32343b777a2 100644 --- a/content/developers/webhooks-and-events/securing-your-webhooks.md +++ b/content/developers/webhooks-and-events/securing-your-webhooks.md @@ -41,8 +41,7 @@ When your secret token is set, {% data variables.product.product_name %} uses it {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.22" %} {% note %} -**Note:** For backward-compatibility, we also include the `X-Hub-Signature` header that is generated using the SHA-1 hash function. If possible, we recommend that you use the `X-Hub-Signature-256` header for improved security. The example below demonstrate using the `X-Hub-Signature-256` header. -**Note** The payload of the webhook may contain unicode characters. +**Note:** For backward-compatibility, we also include the `X-Hub-Signature` header that is generated using the SHA-1 hash function. If possible, we recommend that you use the `X-Hub-Signature-256` header for improved security. The example below demonstrates using the `X-Hub-Signature-256` header. {% endnote %} {% endif %} @@ -81,6 +80,12 @@ def verify_signature(payload_body) end{% endif %} ``` +{% note %} + +**Note:** Webhook payloads can contain unicode characters. If your language and server implementation specifies a character encoding, ensure that you handle the payload as UTF-8. + +{% endnote %} + Your language and server implementations may differ from this example code. However, there are a number of very important things to point out: * No matter which implementation you use, the hash signature starts with {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.22" or "github-ae@latest" %}`sha256=`{% elsif currentVersion ver_lt "enterprise-server@2.23" %}`sha1=`{% endif %}, using the key of your secret token and your payload body.