What is the name of the domain?
squarecandydesign.com
What is the issue you’re encountering
GitHub Webhooks cannot be authorized by using the list of known bots
What steps have you taken to resolve the issue?
We’re trying to allow github actions and webhooks to make updates to our site by allowing them to skip all rules. The user agent starts with “GitHub-Hookshot”
I would prefer to lock this to known bots by using an expression like this:
cf.verified_bot_category eq "Webhooks" and http.user_agent contains "GitHub-Hookshot"
Also tried
cf.client.bot and http.user_agent contains "GitHub-Hookshot"
But neither one is working at the moment… so we are just using http.user_agent contains "GitHub-Hookshot" which is open pretty easily to spoofing.
What are the steps to reproduce the issue?
In Security > WAF > Custom Rules
- Setup a block rule for the site
- Setup a Skip rule above the block rule
- Add the expression
cf.verified_bot_category eq "Webhooks" and http.user_agent contains "GitHub-Hookshot"to the Skip rule - Attempt to use Github Webhooks to create a POST request to the site
The webhook will fail because it does not have access because GitHub is not the the list of verified bots.
