Add sensitive headers (#3429)

* Add HeaderWithSensitiveCase methods to respect casing

* Update webhook.go

2 files changed, 8 insertions, 2 deletions

diff --git a/models/webhook.go b/models/webhook.go
index b18b9e35a3..62db84f86a 100644
--- a/models/webhook.go
+++ b/models/webhook.go
@@ -588,8 +588,8 @@ func (t *HookTask) deliver() {
 		Header("X-Gitea-Event", string(t.EventType)).
 		Header("X-Gogs-Delivery", t.UUID).
 		Header("X-Gogs-Event", string(t.EventType)).
-		Header("X-GitHub-Delivery", t.UUID).
-		Header("X-GitHub-Event", string(t.EventType)).
+		HeaderWithSensitiveCase("X-GitHub-Delivery", t.UUID).
+		HeaderWithSensitiveCase("X-GitHub-Event", string(t.EventType)).
 		SetTLSClientConfig(&tls.Config{InsecureSkipVerify: setting.Webhook.SkipTLSVerify})
 
 	switch t.ContentType {
diff --git a/modules/httplib/httplib.go b/modules/httplib/httplib.go
index 88190704bb..c96e04c35f 100644
--- a/modules/httplib/httplib.go
+++ b/modules/httplib/httplib.go
@@ -164,6 +164,12 @@ func (r *Request) Header(key, value string) *Request {
 	return r
 }
 
+// HeaderWithSensitiveCase add header item in request and keep the case of the header key.
+func (r *Request) HeaderWithSensitiveCase(key, value string) *Request {
+	r.req.Header[key] = []string{value}
+	return r
+}
+
 // Headers returns headers in request.
 func (r *Request) Headers() http.Header {
 	return r.req.Header