Webhook security basics you can't skip
When you create a webhook in n8n, you get a URL. Anyone with that URL can trigger your workflow. That's a problem.
Here's how to fix it.
The risk
An unsecured webhook can:
- Get spammed with garbage data
- Get used in DDoS attacks (you pay for the compute)
- Expose sensitive data if your workflow returns it
- Trigger unintended actions (imagine a webhook that creates invoices...)
Method 1: Header authentication
The simplest approach. Require a secret header.
In n8n:
- Webhook node → Authentication → Header Auth
- Set a header name (e.g.,
x-api-key) - Set a secret value
Now requests without the correct header get rejected.
# This works
curl -X POST https://your-n8n.com/webhook/xyz \
-H "x-api-key: your-secret" \
-H "Content-Type: application/json" \
-d '{"data": "test"}'
# This fails
curl -X POST https://your-n8n.com/webhook/xyz \
-d '{"data": "test"}'
When to use: Most internal integrations. Anything where you control the sender.
Method 2: Webhook signatures
Many services (Stripe, GitHub, Shopify) sign their webhooks. The signature proves the request came from them.
In n8n, use a Code node to verify:
const crypto = require('crypto');
const payload = JSON.stringify($json);
const signature = $headers['x-signature'];
const secret = 'your-webhook-secret';
const expected = crypto
.createHmac('sha256', secret)
.update(payload)
.digest('hex');
if (signature !== expected) {
throw new Error('Invalid signature');
}
return $json;
When to use: Receiving webhooks from third-party services that support signatures.
Method 3: IP allowlisting
If you know exactly where requests should come from, block everything else.
This requires infrastructure-level configuration (nginx, Cloudflare, etc.), not n8n config.
When to use: High-security environments. Known, fixed senders.
Method 4: Request validation
Even with auth, validate the payload:
// In a Code node
const required = ['event', 'user_id', 'timestamp'];
const missing = required.filter(f => !$json[f]);
if (missing.length > 0) {
throw new Error(`Missing fields: ${missing.join(', ')}`);
}
// Validate types
if (typeof $json.user_id !== 'number') {
throw new Error('user_id must be a number');
}
return $json;
When to use: Always. Defense in depth.
Common mistakes
Using production URLs in test mode
Your test webhook is a different URL. Don't expose prod webhooks during development.
Logging sensitive data
Webhook payloads often contain PII. Don't log full payloads to public channels.
Trusting the payload
Never use webhook data directly in database queries or commands without validation. Basic injection protection applies here.
Minimum viable security
At minimum, every production webhook should have:
- Header authentication or signature verification
- Payload validation
- Rate limiting (if your infrastructure supports it)
Takes 30 minutes to set up. Saves you from 3am incident calls.
Building webhooks into your automation? Let's make sure they're solid.
Production-Grade Claude Code in 5 Days
Set up Claude Code the right way - from someone who ships with it daily.
100% satisfaction guarantee. Full refund if you're not happy after the first session.
Related Posts
Claude for Small Business: what's in the plugin (and how to decide)
Claude for Small Business is a plugin for Claude Cowork with 25+ pre-built skills and 8 native integrations. Here's what's in it, how it compares to ChatGPT Team, and a decision tree for picking the right setup.
The 2 prerequisites for Claude Code (you'll regret skipping)
Before you install Claude Code, you need source control (GitHub or similar) and issue tracking (Linear or similar). Here's what each one does, why both matter, and the 10-minute setup to get both running.
A beginner's guide to source control with GitHub
GitHub for beginners – what source control is, the 5 commands that do 90% of the work, branching, pull requests, and the conventions worth stealing from production AGENTS.md files.