How do we redact the headers that are sent to the webhook trigger node

prajwal-razorpay · October 14, 2025, 10:44am

Describe the problem/error/question

I’ve noticed a potential security concern regarding the Webhook node. The authorization headers are always visible in the output tab when the node executes, which could expose sensitive information.

I observed that there is existing redaction logic for the HttpRequestNode, but it doesn’t seem to apply to the Webhook node. Since credentials are included in these headers, it would be ideal if similar redaction could be implemented for the Webhook node to ensure better security.

Is there any way to resolve this concern ?

Thanks

Information on your n8n setup

n8n version: 1.105.0
Database (default: SQLite): Postgres
n8n EXECUTIONS_PROCESS setting (default: own, main):
Running n8n via (Docker, npm, n8n cloud, desktop app): npm
Operating system: Debian

mohamed3nan · October 14, 2025, 12:19pm

Hi @prajwal-razorpay

I believe what you’re seeing here are the hashed credentials, not the actual credentials.

prajwal-razorpay · October 15, 2025, 1:49am

@mohamed3nan It’s not really hashed - its only base64 encoded - which offers no layer of security.

My password decoded

You password decoded:

A feature would need to be added to either redact the secrets / hash the secrets like you mentioned - else this breaks the whole purpose of the credentials module.

mohamed3nan · October 15, 2025, 1:53am

wow what the
nice catch, hope the n8n team see this

prajwal-razorpay · October 15, 2025, 3:19am

I created a PR to address this issue: fix(Webhook Node): Redact sensitive headers in webhook requests by prajwal-razorpay · Pull Request #20783 · n8n-io/n8n · GitHub

Hopefully the N8N team will look at this urgently and rollout fix for this node / other nodes that don’t contain the redaction logic.