Announcement: Deprecation of registering webhooks with non-secure URLs

Hello everyone,

On July 31, we published a deprecation notice for the usage non-secure URLs when registering webhooks in Jira Cloud.

Please see the full deprecation notice. Here’s a quick summary:

  • Newly registered webhooks will require URLs that are secure (HTTPS)
  • The server that receives the webhook events must have a valid SSL/TLS certificate issued from a globally recognized and trusted certificate authority (self-signed certificates are not acceptable).
  • At this time, existing webhooks that use non-secure URLs will continue to receive event data; however, this may be subject to change in the future; therefore, it is recommended to migrate any operationally critical webhooks over to HTTPS.

We plan to remove support for accepting non-HTTPS URLs on newly registered webhooks by December 31, 2018. You can track the progress of this change by watching ticket ACJIRA-1559.

Thanks,
Neil Mansilla

2 Likes

Hello everyone. Just wanted to provide an update that all newly registered webhooks require https URLs. Requests to create new webhooks with non-secure URLs will be declined, both in the API as well as the product UI.

Just out of curiosity: why did Atlassian ever accept non-secure web hooks in the first place?

@remie - heh. Only guessing here, but webhooks were probably introduced at a time when the de facto was not “https by default.”

@nmansilla: I thought Atlassian was incorporated in 2002 :wink: :stuck_out_tongue:
Anyway, good to see this is now enforced!