Security: Treat Webhook URLs Like Passwords

Your webhook URL is publicly accessible. Anyone who has it can send data to your workflow. In most cases, this is fine — but for sensitive workflows (especially financial or security-related), you want to verify that the webhook request actually came from the service you're expecting.

Most services that support webhooks also provide a signing mechanism. When they send the webhook, they include a signature (calculated from a secret key and the request body). You can verify that signature in your workflow to confirm the request is legitimate. Make and n8n both support this. The API documentation for the service will explain how to verify the signature.

It's an extra step, but for anything important, it's worth doing.