Whitelist IP addresses to call Webhook

Is there a way to Whitelist some IP addresses to prevent webhooks from being called by anybody ?

1 Like

No sorry, nothing like this exists. If you need it IP address-based you would have to take care of that before a request reaches n8n, like in a reverse-proxy.

If you control the service that makes the request, the easiest solution would be adding authentication to the HTTP Request node. n8n checks then if the given user & password matches (Basic Auth) or a required header has the correct value (Header Auth).

Hi, I’m using n8n.cloud, so I don’t have access to a reverse-proxy. And because of that I cannot have a whitelist IP.

I was playing with that and I see that the headers are accessible but they do not show the right external IP but the ‘internal’.

"headers": {
    "host": "some.app.n8n.cloud",
    "x-request-id": "2c7cdc7b3dec58947e572ef35a1a9241",
    "x-real-ip": "10.40.4.185",
    "x-forwarded-for": "10.40.4.185",
    "x-forwarded-host": "some.app.n8n.cloud",
    "x-forwarded-port": "443",
    "x-forwarded-proto": "https",
    "x-scheme": "https",
    "content-length": "2252",
    "content-type": "application/json",
    "user-agent": "PostmanRuntime/7.28.4",
    "accept": "*/*",
    "cache-control": "no-cache",
    "accept-encoding": "gzip, deflate, br"
},

If the real external IP was in the “x-real-ip” header I could implement some kind of condition (not optimal but feasible by code).

Hi I was facing something similar. I have a really big workflow so broke it down into smaller separate workflows.
I used webhooks in all these smaller workflows. I only wanted to use these workflows internally.
I created an IF node that compared the “x-forwarded-for” from the header against my server IP.

The only drawback it happens after the request comes through. But with a good user name and password and the IP check, I could keep the workflows semi-private.

I hope this helps

2 Likes