Prefer `x-hub-signature-256` header with `sha256` for improved security

[ishmam-mahmud]

The securing webhooks documentation notes that the SHA1 header is still there only for backwards compatibility purposes, while recommending the SHA256 header for improved security.

I suggest this package move to SHA256 and only use the SHA1 header as a secondary resort instead.

[mwhitworth]

My fork github_webhook has migrated to using X-Hub-Signature-256 for validation, without the fallback to SHA1.