I added a firewall rule to block requests from non api.github.com referrers, or when the Content-Type header not equals application/json, but it seems the second one is not working, because I tried to configure a Webhook on GitHub to make requests of type application/x-www-form-urlencoded, and it receives a successful status.
Can you share your full WAF rule?
The Referrer header isn’t set on API requests from GitHub. You’ll want to use the GitHub IP address for it instead.
How can I know the IP addresses from GitHub?
I’m a bit confused. Would I have to use hooks or API IPs?