Webhooks Should Not Be Allowed To Be Sent To The Local Network

policy name: webhooks_are_allowed_to_be_sent_to_local_network

severity: LOW

Description

Webhooks sent by GitLab servers are authenticated, and can cause potential damage if sent uncontrollably. For example, a malicious user can plant a webhook address that triggers an API call in GitLab itself which can delete resources. Therefore, as a security best practice, webhooks should be limited to external URLs only. You can read more here

Remediation

1. Press Settings -> Network
2. Expand “Outbound requests” section
3. Un toggle “Allow requests to the local network from web hooks and services”
4. Press “Save Changes”