Github - Require webhook_token It's quite unsafe to run without webhook_token, and quite easy for us to run our tests with a terribly predictable one. This will ensure that nobody accidentally runs a Zuul vulnerable to MITM proxy attacks. Per the link right under the doc we just changed, we also use hmac.compare_digest to prevent timing analysis by malicious attackers which would help them discover the secret. Change-Id: Ie8aa83b81b8e4ef1bb755a664bf416a8663930fa

commit: cf1b74275daa81f2b25020d91d81ee535d633d09 [log] [tgz]
author: Clint Byrum <clint@fewbar.com> Thu Jul 27 17:12:00 2017 -0700
committer: Clint Byrum <clint@fewbar.com> Thu Jul 27 17:26:52 2017 -0700
tree: 733d581549e4b1b71300fe410376d9c0a4d9b4ab
parent: ad2f6773a68e625ab9d389ef4edc632741c7a904 [diff]
diff --git a/doc/source/admin/drivers/github.rst b/doc/source/admin/drivers/github.rst
index 5075f80..3c46be9 100644
--- a/doc/source/admin/drivers/github.rst
+++ b/doc/source/admin/drivers/github.rst

@@ -48,9 +48,8 @@
   <https://help.github.com/articles/creating-an-access-token-for-command-line-use/>`_.
 
 **webhook_token**
-  Optional: Token for validating the webhook event payloads.
-  If not specified, payloads are not validated. In the GitHub App Configuration
-  page, this is called "Webhook secret".
+  Required token for validating the webhook event payloads.  In the
+  GitHub App Configuration page, this is called "Webhook secret".
   See `Securing your webhooks
   <https://developer.github.com/webhooks/securing/>`_.
commit	cf1b74275daa81f2b25020d91d81ee535d633d09	[log] [tgz]
author	Clint Byrum <clint@fewbar.com>	Thu Jul 27 17:12:00 2017 -0700
committer	Clint Byrum <clint@fewbar.com>	Thu Jul 27 17:26:52 2017 -0700
tree	733d581549e4b1b71300fe410376d9c0a4d9b4ab
parent	ad2f6773a68e625ab9d389ef4edc632741c7a904 [diff]