Secure AI agent webhook with HMAC, replay protection, and OpenAI GPT-5
⚠️ Disclaimer: > I am not a cybersecurity expert. This workflow was built through research and with the assistance of an LLM (Claude Opus 4.6). While it implements well-established security patterns (HMAC-SHA256, t...
Template notes
⚠️ Disclaimer: > I am not a cybersecurity expert. This workflow was built through research and with the assistance of an LLM (Claude Opus 4.6). While it implements well-established security patterns (HMAC-SHA256, timing-safe comparison, replay protection, strict payload validation), please review the logic carefully and ensure it meets your own security requirements before deploying it in production.
Who is this for?
This template is for anyone exposing an n8n workflow via webhook and wanting to ensure that only authenticated, untampered requests are processed.
What problem does this solve? Public webhooks are vulnerable by default. Without proper verification, anyone who discovers your URL can send forged requests, replay old ones, or inject unexpected parameters. While n8n's built-in Webhook authentication modes (Basic Auth, Header Auth, JWT) verify who is calling, they don't verify that the payload hasn't been altered, that the request is fresh, or that the data structure matches what you expect. This template adds those missing layers:
- Authentication — Verifies the sender's identity through HMAC-SHA256 signature validation - Integrity — Ensures the payload hasn't been modified by signing the raw body byte-for-byte - Replay protection — Rejects requests with expired timestamps (configurable, default: 5 minutes) - Payload sanitization — Strict whitelist filtering blocks unauthorized fields before they reach your logic
What this workflow does
The workflow chains six security layers before any business logic runs:
1. Webhook receives the request with Header Auth + Raw Body enabled to preserve the original payload 2. Extract rawBody (Code node) decodes the binary into a UTF-8 string and extracts the security headers 3. Crypto computes the HMAC-SHA256 signature of {timestamp}.{rawBody} using your HMAC secret 4. Timing-Safe HMAC Check (Code node) validates the timestamp freshness and compares signatures using crypto.timingSafeEqual() 5. Strict Payload Validation (Code node) parses the JSON, checks required fields, and rejects any unexpected keys 6. AI Agent processes the prompt only after all checks pass