How to limit Webhook submissions from one URL?

Hey there,

I use Webhooks for my form submissions from my website.
I put the Webhook in the action URL, and receive the appropriate data from the form.

Here’s my problem:
Some Russian guys highjacked my Webhook and are submitting spam information to my server.

My question follows:
How do I secure my Webhook connection to insure that I can only submit it from one URL.
Do I need to set up CORS somehow? Do I need to install NGINX?
If so how do I use NGINX with N8N?

Is there a solution that I am missing?

Any help is extremely appreciated as I’ve been pulling my hairs out for the past couple days (metaphorically)

Information on your n8n setup

  • n8n version:0.208.1
  • Database you’re using (default: SQLite): default
  • Running n8n with the execution process [own(default), main]: main
  • Running n8n via [Docker, npm, n8n.cloud, desktop app]: docker compose

Hi @itsalanlee, you could for example add an IF node after your webhook node and verify some of the headers you are getting with each request (such as a source IP, assuming your seeing these in your setup).

Checking URLs will most likely not be sufficient here as these headers can easily be overwritten. Similarly, CORS settings will be verified by browsers which spammers will most likely not use.

You could also consider more comprehensive approaches such as using a Cloudflare proxy in front of your n8n server (which allows you to easily restrict access to certain geographic regions and which also verifies whether a page visitor uses a real browser) or implementing a captcha.

Hey @MutedJam , thanks for the reply.

The IF solution is what I’m running right now, but unfortunately, this doesn’t prevent those Russians from spamming me with their spam content, they can easily overload my server by submitting a load of those requests (it looks like they snatched the webhook URL from my HTML form and are running some sort of script that auto submits spam content to the webhook. I keep changing the URL but they keep acquiring it)

The whole proxy approach sounds like the path I would need to take, are there any tutorials that help guide the setup for N8N ?

I am running N8N as root, I’m not sure if I were to setup a proxy if I would need to reinstall N8N as a non-root user or not. (I don’t have a problem doing that, I just want to make sure that I can secure my server)

I am not sure if there is an n8n-specific tutorial on how to set up Cloudflare, but my personal setup would consist of n8n and a bunch of other services in docker containers, running caddy as a web server/reverse proxy in front of these containers (with caddy being the only service receiving requests from the public internet) and lastly using the caddy module for Cloudflare to automatically solve DNS challenges.

So this is how it looks like for me:

In this scenario, Cloudflare would receive all requests, then pass them on to my server running caddy which in turn redirects traffic to the respective docker container.

We have a bunch of server setups described at Server setups - n8n Documentation which cover the Docker & caddy part (the Digital Ocean one for example). These should also work for other hosting providers and caddy itself already makes blocking specific IPs super easy (in case your spammer only uses a handful of IPs or a single IP range).

If you then want to put a Cloudflare proxy in front of it all there should be plenty of resources out there and both services have very active communities if you need help. I’ve also seen lots of folks on the r/selfhosted Subreddit suggesting Cloudflare tunnels, but I don’t have any experience with this myself.

Edit: After writing “in case your spammer only uses a handful of IPs or a single IP range” it occurred to me that there might be an even simpler solution to your problem. Many VPS providers have included firewalls as part of their cloud portfolio these days. So if your provider offers such a firewall it might just take a few clicks to lock out certain malicious IPs and reduce the traffic sent to your n8n instance and is probably worth looking into.

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.