Q&A

webhook security - how do you verify incoming requests?

Oct 19

using webhook triggers for several workflows and security is a concern. right now anyone who gets our webhook URL could fire the workflow with fake data what are people doing for webhook security? specifically: - validating the request comes from the expected source - checking signatures/HMAC verification - rate limiting incoming webhook calls - validating the payload structure before processing we handle PII in some of these workflows so this isnt just theoretical

𝕏 in

Comments (3)

Ravi Krishnan · Oct 20

good question. heres what we do: 1. HMAC verification: most services (stripe, shopify, github) send a signature header. first node in our workflow validates the signature before proceeding. if it doesnt match the workflow stops 2. IP allowlisting: for internal services we check the source IP in a condition node. only our server IPs get through 3. payload validation: we have a condition node that checks required fields exist and are the right type. prevents malformed data from corrupting our tables 4. the webhook URL being a random UUID is already decent security but yeah for PII workflows you want additional layers

Chris Hall · Oct 21

the HMAC approach is what we ended up implementing too. its the industry standard and most API providers support it. thanks for confirming were on the right track

Mike Wheeler · Oct 22

also worth noting: rotate your webhook URLs periodically if theyre exposed to external services. you can regenerate the URL and update the sending service. quick way to invalidate any leaked URLs