Option To Prevent Plaintext Webhook Credentials in Execution

jzrts · November 8, 2023, 8:23pm

Hi,

I’d like to suggest adding an option (or making it default) to not forward the credentials received by a webhook trigger in to the execution. This would be good to limit exposure of access keys/etc.

For reference, here’s an example of what appears in the execution history when a webhook client uses header auth to launch an n8n webhook:

[

{

"headers": {

"x-forwarded-for": "10.251.1.98",

"x-forwarded-proto": "https",

"x-forwarded-port": "443",

"host": "n8n.domainname.com",

"x-amzn-trace-id": "Root=1-654beaf3-2cd9616a3f37939610d9e884",

"user-agent": "curl/7.61.1",

"accept": "*/*",

"key": "<redacted from this forum post>"

},

"params": {

},

"query": {

}

}

]

Thanks!

MutedJam · November 13, 2023, 3:05pm

Hi @jzrts, I’ll convert this suggestion into a feature request so you and other users can leave a vote on this.

Until such a feature is considered, perhaps you want to simply avoid storing execution data on your webhook flow, strip anything secret and then call a sub-workflow?

E.g. have one workflow like this on which you don’t store execution data:

Then a second workflow (called by the Execute Workflow node) which only receives redacted data and for which you do store execution data:

jzrts · November 13, 2023, 3:31pm

Oh ya, that’s a good idea for an alternative way to do it. That works just fine too, thanks!