Jenkins 2.204.1 on Linux, Github plugin 1.29.5
If you have CSRF checking turned on in Global Security Settings:
And you have the Github webhook URL overridden in Jenkins Settings:
Then each webhook payload will hit a CSRF error:
I believe this is because the url /github-webhook is hardcoded in GitHubWebHookCrumbExclusion.java.