I’m working on a bot that posts CircleCI build output to our Slack team via webhook.
Alas, it dawns on me that, given my team works in public GitHub repos, it’d be fairly trivial for somebody to craft a POST request to the service that would then post something inappropriate as the bot to Slack.
This isn’t an issue with GitHub as I’m able to use the secret token system detailed here. However, it feels like I basically have to rely on security through obscurity with the CircleCI aspect of my code.
- Is there a way of validating that the request payload came from Circle?
- If not, would you consider adding webhook secret tokens?