webhooks should send HMAC tokens and not plaintext secret for verification

Problem to solve

Currently, gitlab webhooks send the the full secret in plaintext, possibly over TLS connection, with each webhook. This is generally considered poor security practice, and exposes the secret to any interception.

Further details

The recommendation is to stop sending full secret in header at all, and instead sign body via HMAC & send resulting token in header instead, like gitea/github and most other webhook providers.

Proposal

What does success look like, and how can we measure that?

• HMAC sign outbound webhooks and inject the resulting token into an X-gitlab-signature header, instead of the actual secret every time.
• For new webhooks, provide a flag in the UI, enabled by default, to HMAC signing.
• For existing webhooks, make the insecure config visible in the UI so that users are aware of the need to change.
• inform customers of the new feature, and after a reasonable period of time, deprecate sending the plaintxt secret.
• track customers that have not changed over, and keep reminding them regularly.

Links / references

• https://tools.ietf.org/html/rfc2104 & https://tools.ietf.org/html/rfc6151
• cat HTML body | openssl dgst -sha1 -hmac 123456789abcdef0123456789abcdef0
• https://docs.gitea.io/en-us/webhooks/
• https://developer.github.com/webhooks/securing/