Security

GitScrum webhook security: custom headers, HTTPS requirements, IP considerations, and request verification.

Secure your webhook endpoints to ensure only legitimate GitScrum requests are processed.

Request Headers

Every webhook delivery from GitScrum includes these custom headers:

Header	Value	Purpose
`X-Header`	`GitScrum`	Identifies the request as coming from GitScrum
`User-Agent`	`GitScrum Webhook`	Standard user agent identification
`Content-Type`	`application/json`	Payload format

Verifying the Source

Check the X-Header header to confirm requests originate from GitScrum:

app.post('/webhooks/gitscrum', (req, res) => {
  // Verify the request comes from GitScrum
  if (req.headers['x-header'] !== 'GitScrum') {
    return res.status(403).json({ error: 'Forbidden' });
  }

  // Process the webhook
  const event = req.body;
  // ...

  res.status(200).json({ received: true });
});

@app.route('/webhooks/gitscrum', methods=['POST'])
def webhook():
    # Verify the request comes from GitScrum
    if request.headers.get('X-Header') != 'GitScrum':
        return jsonify({"error": "Forbidden"}), 403

    event = request.get_json()
    # Process the webhook...

    return jsonify({"received": True}), 200

HTTPS

Always use HTTPS for your webhook endpoint URLs. HTTPS encrypts the data in transit, preventing:

Payload interception by third parties
Man-in-the-middle attacks
Data tampering

While HTTP endpoints work, GitScrum strongly recommends HTTPS for all production webhook configurations.

Endpoint URL Security

Protect your webhook endpoint with additional measures:

Use a Unique Path

Use an unpredictable path for your webhook endpoint:

✅ https://your-server.com/webhooks/gs-a8x92j4k
❌ https://your-server.com/webhooks

IP Allowlisting

If your infrastructure supports it, configure firewall rules to only accept requests from GitScrum's IP ranges. Contact GitScrum support for current IP information.

Rate Limiting

Implement rate limiting on your webhook endpoint to protect against unexpected traffic spikes:

const rateLimit = require('express-rate-limit');

const webhookLimiter = rateLimit({
  windowMs: 1 * 60 * 1000, // 1 minute
  max: 100, // 100 requests per minute
});

app.post('/webhooks/gitscrum', webhookLimiter, (req, res) => {
  // Process webhook
});

Data Handling

Sensitive Data

Webhook payloads may contain:

Task titles and descriptions with sensitive project information
Team member names and usernames
Sprint and project details

Handle webhook data with the same security standards as your other business data.

Data Retention

GitScrum logs webhook deliveries including the payload body and response status code. These logs are stored in the webhook delivery log and are accessible through the project.

Payload Validation

Always validate the payload structure before processing:

app.post('/webhooks/gitscrum', (req, res) => {
  const { data } = req.body;

  if (!data || typeof data !== 'object') {
    return res.status(400).json({ error: 'Invalid payload' });
  }

  // Validate expected fields exist
  if (!data.uuid) {
    return res.status(400).json({ error: 'Missing uuid' });
  }

  // Process valid webhook
  // ...

  res.status(200).json({ received: true });
});

Payload Format — Payload structure reference
Best Practices — Production webhook handling
Troubleshooting — Common issues and fixes