Headers redaction for webhooks output
We are (about to) run few (dozen) of n8n enterprise instances, while working on webhook nodes we noticed all headers are logged, including authorization - which is security problem for us
There was already some voices to introduce something like that
master ← prajwal-razorpay:redact-webhook-headers
opened 03:15AM - 15 Oct 25 UTC
## Summary
This PR implements secret redaction for sensitive headers in the… Webhook node, addressing a security vulnerability where authentication headers (like Authorization, X-API-Key, etc.) were being passed through in plain text to the UI editor.
**What was changed:**
- Added redactSensitiveHeaders utility function in packages/nodes-base/nodes/Webhook/utils.ts
- Applied header redaction in all three webhook response paths:
- Main webhook method
- Form data handling
- Binary data handling
- Sensitive headers are now redacted as **hidden** instead of exposing actual values
**Headers that are now redacted:**
- authorization
- x-api-key
- x-auth-token
- cookie
- proxy-authorization
- sslclientcert
**Testing:**
- Added 12 comprehensive test cases for the redaction function
- Added integration tests to verify redaction works in actual webhook responses
- All existing tests continue to pass
This implementation follows the same pattern used in the HTTP Request node for consistency across n8n.
## Related Linear tickets, Github issues, and Community forum posts
[Community forum post: How do we redact the headers that are sent to the webhook trigger node
](https://community.n8n.io/t/how-do-we-redact-the-headers-that-are-sent-to-the-webhook-trigger-node/205437/3)
## Review / Merge checklist
- [x] PR title and summary are descriptive. ([conventions](../blob/master/.github/pull_request_title_conventions.md))
- [ ] [Docs updated](https://github.com/n8n-io/n8n-docs) or follow-up ticket created.
- [x] Tests included.
- [ ] PR Labeled with `release/backport` (if the PR is an urgent fix that needs to be backported)
Nope, but added link to PR with solution - unfortunately it was closed, but code is there