Unauthenticated webhook in n8n
Why public webhooks without authentication expose your workflow to attacks
What is this issue?
An unauthenticated webhook is an HTTP endpoint that accepts requests from anyone on the internet without verifying the sender's identity. This makes your workflow vulnerable to unauthorized access and abuse.
Common vulnerable patterns:
•GET webhooks that trigger database operations•Webhooks without Basic Auth or Header Auth enabled•Missing secret validation on incoming requests•Public endpoints that trigger sensitive actions
Why is this dangerous?
Unauthorized access
Anyone can trigger your workflow by simply knowing or guessing the webhook URL.
Data manipulation
Attackers can inject malicious data into your workflow, potentially corrupting databases or triggering unintended actions.
Resource exhaustion
Bots can flood your webhook with requests, consuming your n8n resources and potentially causing DoS.
CSRF attacks
GET webhooks that perform actions are vulnerable to Cross-Site Request Forgery attacks.
How to fix it
- 1
Enable Basic Auth
In your Webhook node, set Authentication to 'Basic Auth' and configure a strong username and password.
- 2
Use Header Auth
Configure Header Auth to require a specific secret header (e.g., X-API-Key) that only trusted clients know.
- 3
Validate signatures
For integrations like GitHub or Stripe, validate the webhook signature using the provided secret.
- 4
Use POST for actions
Avoid GET requests for webhooks that perform write operations. Use POST and validate the request body.
Scan your workflow now
Upload your n8n workflow JSON and instantly detect unauthenticated webhooks and other security vulnerabilities.