/webhook · sink: requests.post
POSTs your URL with a JSON body and echoes status, length, content-type, X-* headers.
The body is hidden but headers aren't. The internal service at http://127.0.0.1:8089/webhook-callback returns the flag in a response header.