Announcement: Deprecation of registering webhooks with non-secure URLs

nmansilla · August 7, 2018, 12:36am

Hello everyone,

On July 31, we published a deprecation notice for the usage non-secure URLs when registering webhooks in Jira Cloud.

Please see the full deprecation notice. Here’s a quick summary:

Newly registered webhooks will require URLs that are secure (HTTPS)
The server that receives the webhook events must have a valid SSL/TLS certificate issued from a globally recognized and trusted certificate authority (self-signed certificates are not acceptable).
At this time, existing webhooks that use non-secure URLs will continue to receive event data; however, this may be subject to change in the future; therefore, it is recommended to migrate any operationally critical webhooks over to HTTPS.

We plan to remove support for accepting non-HTTPS URLs on newly registered webhooks by December 31, 2018. You can track the progress of this change by watching ticket ACJIRA-1559.

Thanks,
Neil Mansilla

nmansilla · February 21, 2019, 6:38pm

Hello everyone. Just wanted to provide an update that all newly registered webhooks require https URLs. Requests to create new webhooks with non-secure URLs will be declined, both in the API as well as the product UI.

remie · February 21, 2019, 6:51pm

Just out of curiosity: why did Atlassian ever accept non-secure web hooks in the first place?

nmansilla · February 21, 2019, 6:57pm

@remie - heh. Only guessing here, but webhooks were probably introduced at a time when the de facto was not “https by default.”

remie · February 21, 2019, 10:08pm

@nmansilla: I thought Atlassian was incorporated in 2002
Anyway, good to see this is now enforced!