Dev Ops · n8n

Monitor for Unsigned or Invalid Webhook Calls to Your API

Harden your integrations — detect incoming webhooks with missing or invalid signatures and alert security to possible spoofing attempts.

difficulty Advancedsetup 40 minresult Spoofed or misconfigured webhook calls are caught and surfaced, protecting your endpoints.
  1. 1

    Receive the Calls

    Add a Webhook node capturing inbound requests with their signature headers.

  2. 2

    Verify the Signature

    Add a Code node validating the HMAC signature against the shared secret.

  3. 3

    Flag Invalid Calls

    Add an IF node continuing when a signature is missing or fails verification.

  4. 4

    Alert Security

    Add a Slack node reporting the source and details of the invalid call.

  5. 5

    Activate and Test

    Activate the workflow and send a request with a bad signature. Confirm it's flagged.

Frequently asked questions

Should invalid calls be rejected?

Reject them at the gateway, and use this monitor to detect patterns of spoofing attempts.

What about a rotated secret?

Support both old and new secrets during rotation so valid calls aren't wrongly flagged.

About this recipe. Recipes on FlowRecipesHub are written for business owners, not developers, and are tested before publishing — how recipes get made. Some ingredient links are affiliate links that cost you nothing — full disclosure.