Webhook security basics you can't skip
Webhook security basics you can't skip
When you create a webhook in n8n, you get a URL. Anyone with that URL can trigger your workflow. That's a problem.
Here's how to fix it.
The risk
An unsecured webhook can:
- Get spammed with garbage data
- Get used in DDoS attacks (you pay for the compute)
- Expose sensitive data if your workflow returns it
- Trigger unintended actions (imagine a webhook that creates invoices...)
Method 1: Header authentication
The simplest approach. Require a secret header.
In n8n:
- Webhook node → Authentication → Header Auth
- Set a header name (e.g.,
x-api-key) - Set a secret value
Now requests without the correct header get rejected.
# This works
curl -X POST https://your-n8n.com/webhook/xyz \
-H "x-api-key: your-secret" \
-H "Content-Type: application/json" \
-d '{"data": "test"}'
# This fails
curl -X POST https://your-n8n.com/webhook/xyz \
-d '{"data": "test"}'
When to use: Most internal integrations. Anything where you control the sender.
Method 2: Webhook signatures
Many services (Stripe, GitHub, Shopify) sign their webhooks. The signature proves the request came from them.
In n8n, use a Code node to verify:
const crypto = require('crypto');
const payload = JSON.stringify($json);
const signature = $headers['x-signature'];
const secret = 'your-webhook-secret';
const expected = crypto
.createHmac('sha256', secret)
.update(payload)
.digest('hex');
if (signature !== expected) {
throw new Error('Invalid signature');
}
return $json;
When to use: Receiving webhooks from third-party services that support signatures.
Method 3: IP allowlisting
If you know exactly where requests should come from, block everything else.
This requires infrastructure-level configuration (nginx, Cloudflare, etc.), not n8n config.
When to use: High-security environments. Known, fixed senders.
Method 4: Request validation
Even with auth, validate the payload:
// In a Code node
const required = ['event', 'user_id', 'timestamp'];
const missing = required.filter(f => !$json[f]);
if (missing.length > 0) {
throw new Error(`Missing fields: ${missing.join(', ')}`);
}
// Validate types
if (typeof $json.user_id !== 'number') {
throw new Error('user_id must be a number');
}
return $json;
When to use: Always. Defense in depth.
Common mistakes
Using production URLs in test mode
Your test webhook is a different URL. Don't expose prod webhooks during development.
Logging sensitive data
Webhook payloads often contain PII. Don't log full payloads to public channels.
Trusting the payload
Never use webhook data directly in database queries or commands without validation. Basic injection protection applies here.
Minimum viable security
At minimum, every production webhook should have:
- Header authentication or signature verification
- Payload validation
- Rate limiting (if your infrastructure supports it)
Takes 30 minutes to set up. Saves you from 3am incident calls.
Building webhooks into your automation? Let's make sure they're solid.
Related Posts
n8n Guardrails Node: The Complete Guide to AI Output Validation
Learn how to use n8n's native Guardrails node to validate AI outputs automatically. Block keywords, detect PII, prevent jailbreaks, and route content based on validation results.
n8n v2.0 is here: What breaks, what's new, and how to prepare
The biggest n8n release in years just dropped. Here's everything you need to know before upgrading.
How to build a lead scoring workflow in n8n
Stop guessing which leads to chase. Build an automated scoring system that does it for you.