How do I make sure an incoming webhook is really from the source?
Open webhook endpoints accept any request. An attacker who knows the URL can feed your flow fake data. HMAC signing in the header is the standard fix, IP allowlist is a second layer.
Try this first
- 1Ask the source (Stripe, GitHub, Mollie, Shopify) to enable signing-secret and store the secret in a vault, not in the flow step itself.
- 2In the first flow step compute HMAC over the raw body with that secret and compare to the signature header. Mismatch means stop immediately.
- 3Use a time window of for example 5 minutes on the payload timestamp, otherwise a leaked old request stays replayable.
- 4Where possible add an IP allowlist for known source ranges, especially payment providers that publish their IPs.
- 5Log every rejected request separately, that is your early warning someone is guessing or abusing the URL.
When to bring us in
If your source has no HMAC support but sends financial or personal data, we can look at a proxy layer that adds verification.
See also
- n8n: self-host or cloud?Self-hosted is cheaper at volume and keeps data local. Cloud removes ops burden.
- Zapier or Make: which fits better?Zapier is straight-line; Make handles complex flows with routers and iterators for less money.
- Power Automate Cloud or Desktop: which to use?Cloud for SaaS integrations and triggers. Desktop for RPA against legacy Windows apps without APIs.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.