I developed an application that works with Github and Github Hooks, when a new hook request received, I just update/clone the repository (and then I do a little process on repository)
Because I accept all hook requests blindly, everyone can generate a hook request and send it t me.
I want to know how can I protect my application from unwanted hook requests?
Github does not include any secret information with the payload (based on https://help.github.com/articles/post-receive-hooks).
So your best defense is to make the url of your webhook hard to guess by using a random string in the url of your web hook.
You may also consider, although this may break over time, checking that request.connection.remoteAddress is within a range of addresses that are know to belong to Github host (Rackspace at the moment?). This answer includes know ip addresses: How to verify a post-receive hook request actually came from github?
