About validating webhook deliveries
Once your server is configured to receive payloads, it will listen for any delivery that's sent to the endpoint you configured. To ensure that your server only processes webhook deliveries that were sent by GitHub and to ensure that the delivery was not tampered with, you should validate the webhook signature before processing the delivery further. This will help you avoid spending server time to process deliveries that are not from GitHub and will help avoid man-in-the-middle attacks.
To do this, you need to:
- Create a secret token for a webhook.
- Store the token securely on your server.
- Validate incoming webhook payloads against the token, to verify that they are coming from GitHub and were not tampered with.