feat(integrations): Restrict webhook headers to Authorization and X-*

Narrow the custom webhook header allow list to only the Authorization
header and X-* custom headers. Previously User-Agent, Accept, Date, and
Prefer were also permitted; these are removed so callers can only set an
auth credential and their own namespaced custom headers.

The X-* allowance is unchanged (it is a separate prefix check), and the
reserved-header guards still take precedence, so headers like
X-Forwarded-* and X-Sentry-* remain blocked.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: billyvg

src/sentry/sentry_apps/api/parsers/sentry_app.py

@@ -16,9 +16,9 @@
 from sentry.sentry_apps.utils.webhooks import VALID_EVENT_RESOURCES
 from sentry.utils.display_name_filter import is_spam_display_name
 
-# Custom webhook headers are intentionally limited to application-level metadata
-# and common custom-header names. Names are compared case-insensitively.
-ALLOWED_WEBHOOK_HEADERS = frozenset({"authorization", "user-agent", "accept", "date", "prefer"})
+# Custom webhook headers are intentionally limited to Authorization and X-*
+# custom headers. Names are compared case-insensitively.
+ALLOWED_WEBHOOK_HEADERS = frozenset({"authorization"})
 
 # RFC 7230 §3.2.6 — header field names are "tokens": letters, digits, and
 # the limited punctuation set below. Excludes separators and control chars.
@@ -256,8 +256,8 @@ def validate_webhookHeaders(self, value):
                 raise ValidationError(f"'{name}' is a reserved header and cannot be overridden.")
             if normalized not in ALLOWED_WEBHOOK_HEADERS and not normalized.startswith("x-"):
                 raise ValidationError(
-                    f"'{name}' is not an allowed webhook header. Use Authorization, "
-                    "User-Agent, Accept, Date, Prefer, or X-* custom headers."
+                    f"'{name}' is not an allowed webhook header. Use Authorization "
+                    "or X-* custom headers."
                 )
             # Reject duplicate names (case-insensitive). This keeps the masked-value
             # round-trip unambiguous: the updater re-pairs masked entries to stored

tests/sentry/sentry_apps/api/endpoints/test_sentry_app_details.py

@@ -752,29 +752,20 @@ def test_set_webhook_headers(self) -> None:
             webhookHeaders=[
                 "Authorization: Bearer token",
                 "X-Example: value",
-                "User-Agent: custom-agent",
-                "Accept: application/json",
-                "Date: Tue, 10 Jun 2026 12:00:00 GMT",
-                "Prefer: respond-async",
+                "X-Custom-Header: another",
             ],
             status_code=200,
         )
         self.published_app.refresh_from_db()
         assert self.published_app.webhook_headers == [
             "Authorization: Bearer token",
             "X-Example: value",
-            "User-Agent: custom-agent",
-            "Accept: application/json",
-            "Date: Tue, 10 Jun 2026 12:00:00 GMT",
-            "Prefer: respond-async",
+            "X-Custom-Header: another",
         ]
         assert response.data["webhookHeaders"] == [
             f"Authorization: {MASKED_VALUE}",
             f"X-Example: {MASKED_VALUE}",
-            f"User-Agent: {MASKED_VALUE}",
-            f"Accept: {MASKED_VALUE}",
-            f"Date: {MASKED_VALUE}",
-            f"Prefer: {MASKED_VALUE}",
+            f"X-Custom-Header: {MASKED_VALUE}",
         ]
 
     @override_options({"staff.ga-rollout": True})