To help improve security for our customers, registering webhooks with non-https URLs is being deprecated. Secure URLs will be required when creating new webhooks later in 2018 in accordance with the Atlassian REST API policy.
If you have a script, integration, or app that registers webhooks using the Jira Cloud API, you should update it to only support HTTPS (secure) URLs as soon as possible. Depending on your implementation, this may involve adding data validation or UI and UX changes to your app.
Furthermore, if you have an app or service that receives webhook event data, it should also be running on a web server that has HTTPS enabled and a signed SSL/TLS certificate.
Using non-secure protocols for webhooks creates security risks for our customers. HTTPS helps prevent intruders from tampering with the webhook event data that's being sent between Atlassian and your app.
Self-signed certificates are not supported for webhooks. The receiving web server must have a valid SSL/TLS certificate, signed by a globally trusted certificate authority.
After the deprecation period, the following Jira Cloud REST API endpoint will return a 400 (Bad Request) on all webhook registration (POST) requests that contain a URL that is not HTTPS.
Also note that webhooks created via the product UI (from Jira Settings > System > Advanced) will also require HTTPS URLs following the deprecation period.
At this time, we are not planning to stop supporting pre-existing registered webhooks with non-secure URLs, but this is subject to change. If your app receives webhook data at a non-HTTPS URL, we strongly encourage you to migrate all existing webhooks to secure URLs.
On this page, as well as on the developer community, we will soon provide links to issues that you can watch.