I can't get the GitHub plugin's web hooks to work unless I go into "Configure Global Security" and set "Prevent Cross Site Request Forgery exploits" to disabled.

From my googling around [1], it seems that perhaps this plugin needs to add a CrumbExclusion?

[1] https://issues.jenkins-ci.org/browse/JENKINS-10263