Move webhookHeaders inside the owner-gated block so it is only returned to members of the owning org or elevated users, matching the same protection applied to clientId and clientSecret.

Also found at:

• src/sentry/sentry_apps/api/serializers/sentry_app.py:49
• src/sentry/sentry_apps/logic.py:117
• src/sentry/apidocs/examples/sentry_app_examples.py:108

Custom webhook headers (which may contain Authorization: Bearer <token> or similar credentials) are returned unconditionally in SentryAppSerializer.serialize() at api/serializers/sentry_app.py:150 without the owner-membership gate that protects clientId/clientSecret; any authenticated user can retrieve them via GET /api/0/apps/?status=published.

Also found at:

• src/sentry/sentry_apps/api/serializers/sentry_app.py:47
• src/sentry/sentry_apps/api/serializers/sentry_app.py:150
• src/sentry/sentry_apps/logic.py:352
• src/sentry/sentry_apps/logic.py:436
• src/sentry/sentry_apps/services/app/model.py:88
• src/sentry/sentry_apps/services/app/serial.py:44
• src/sentry/sentry_apps/logic.py:141
• src/sentry/sentry_apps/models/sentry_app.py:129

SentryAppSerializer returns webhookHeaders verbatim in the GET response for any Sentry App, and SentryAppPermission.has_object_permission lets any authenticated user GET a published app's details. Since webhook_headers is designed to carry per-app credentials (e.g. Authorization: Bearer ...), any Sentry user can read another org's webhook secrets via GET /api/0/sentry-apps/{slug}/. Mask the values like clientSecret does, or restrict exposure to org members with org:write.

Also found at:

• src/sentry/sentry_apps/api/serializers/sentry_app.py:48
• src/sentry/sentry_apps/api/serializers/sentry_app.py:150
• src/sentry/sentry_apps/logic.py:117
• src/sentry/sentry_apps/logic.py:352
• src/sentry/sentry_apps/services/app/model.py:88
• tests/sentry/sentry_apps/api/endpoints/test_sentry_apps.py:762-766