--- a/app/models/hooks/web_hook.rb
+++ b/app/models/hooks/web_hook.rb
@@ -19,6 +19,7 @@
   default_timeout Gitlab.config.gitlab.webhook_timeout
 
   validates :url, presence: true, url: true
+  validates :token, format: { without: /\n/ }
 
   def execute(data, hook_name)
     parsed_url = URI.parse(url)
@@ -57,7 +58,7 @@
       'Content-Type' => 'application/json',
       'X-Gitlab-Event' => hook_name.singularize.titleize
     }
-    headers['X-Gitlab-Token'] = token if token.present?
+    headers['X-Gitlab-Token'] = Gitlab::Utils.remove_line_breaks(token) if token.present?
     headers
   end
 end
--- a/lib/gitlab/utils.rb
+++ b/lib/gitlab/utils.rb
@@ -14,6 +14,10 @@
       str.force_encoding(Encoding::UTF_8)
     end
 
+    def remove_line_breaks(str)
+      str.gsub(/\r?\n/, '')
+    end
+
     def to_boolean(value)
       return value if [true, false].include?(value)
       return true if value =~ /^(true|t|yes|y|1|on)$/i