Secure webhooks - how to do this in integromat

I would like to secure the webhooks in make.com so that only my app can connect to them. Obscure URLs aren’t really protection. I could just pass a username and password in the header and then check in the webhook that they are [resent but even that is not very secure as they could be stolen by anyone who could see the network connection. Is there a way to generate a key pair on integromat and then pass the public key to my app to connect with. There is no human interaction during the app connecting with make so that is a restriction.

2 Likes

I usually try to use a combination of things to make it secure… Most likely, you know them all but I will mention it just in case:

  • Pass a token from my app and apply a filter on the link (so if I get incorrect token or id, I simply wont continue with the route)

  • Enable “Get request headers” and use Filter to allow or disallow based on certain header details (i.e user-agent etc).

  • Enable the IP restriction (you can use CIDR notation to whitelist multiple subnets).

Let me know if you do find a better way to secure the webhook.

Thanks!

1 Like

@Anthony_Castle

One common method used for this is to send signed/encoded tokens, often using the standard referred to as a “JSON Web Token” or “JWT” (pronounced “jot”).

A good place to get started with more information on JWTs is: JSON Web Tokens - jwt.io


Jim - The Monday Man (YouTube Channel)
Watch Our Latest Video: Creating monday subitems using Make/Integromat The Monday Man Way
Contact me directly here: Contact – The Monday Man

Not fully addressing your question, but you could do as you’ve just outlined and not have it stolen as the data contained within the network connection would be encrypted.

For example, making a POST request to the https Webhook endpoint url:

curl -d '{"key1":"value1", "key2":"value2"}' -H "Content-Type: application/json" -X POST https://hook.us1.make.com/8fsmnc9e2lnejcfs9s2oomoudgovijtg

Will encrypt the JSON ({"key1":"value1", "key2":"value2"}). That could indeed contain a “secret token” that you then verify after the Webhook is received within Make.