Insecure Package Registry webhook

Insecure Webhook in package registry.

Webhooks are used for triggering an HTTP request based on an action made in the platform.

Package registries (either standalone systems or included into Source Code Management systems) typically use webhooks to notify third-parties when certain events occur, like the publishing of a new package version.

Since webhooks are an HTTP POST request, they can be malformed if not secured over SSL.

In addition, webhooks messages could be protected by a message authentication code (MAC), often using a shared secret between emitter and receiver, so the receiver can verify that the message comes from the appropriate source.

To prevent a potential hack and compromise of the webhook or to the registry or web server accepting the request, use only secured webhooks.

For each webhook in use, change it to secured (over HTTPS) and that there is an authentication-of-origin scheme enabled.