Wait Node Security

Referring to the video here: How to use the Wait node in n8n - YouTube

Why is a UUID not used for the wait node restart id? Using a simple 4 digit number seems easily hackable/discoverable. Especially if something sensitive/important is triggered by a bad actor.
I see that the recommendation is to append a random string/uuid for security, but why not be secure by default?

And by the way THANK YOU for this excellent new node. My mind is reeling with all the possibilities I can use it for.

Welcome to the community @davidbamboo !

About the ID. It is not a 4 digit number, it is the execution ID. So can be between 1 digit and very many depending on how many executions have been created. Just as an explanation, not that it should mean that it makes it more secure.

If you worry about security you have already two possibilities:

  1. Activate Authentication (you can then use basic-auth or a specific header property)
  2. Add a “Webhook Suffix”, that can then be set to a random ID

As you mentioned it is a new feature that may change in the future.

1 Like

Thanks for the note Jan. (and awesome n8n!)

If it increments from 1 to …, that is almost worse, because to cause mischief, I just need to hammer the url with incrementing numbers to set off a whole cascade of problems. 1 to a million will take just a few minutes.

I agree that it is possible to easily secure it by various means, I’m just concerned that it is not secure by default. I’m not a big fan of uuid, but it does have it’s place, Or at least something not easily guessable, like a number and hash.

A url that can trigger an action in a system with this much privilege should never be guessable. That is why you use uuid for your webhook node. :slight_smile: