I’d like to suggest adding an option (or making it default) to not forward the credentials received by a webhook trigger in to the execution. This would be good to limit exposure of access keys/etc.
For reference, here’s an example of what appears in the execution history when a webhook client uses header auth to launch an n8n webhook:
Hi @jzrts, I’ll convert this suggestion into a feature request so you and other users can leave a vote on this.
Until such a feature is considered, perhaps you want to simply avoid storing execution data on your webhook flow, strip anything secret and then call a sub-workflow?
E.g. have one workflow like this on which you don’t store execution data:
Then a second workflow (called by the Execute Workflow node) which only receives redacted data and for which you do store execution data: