Form webhooks are not secure

We want to hit an API endpoint with a form webhook. However, we quickly noticed that there is no way to ensure the origin of a webhook being from Webflow. Is there some security mechanism that I am not aware of? Is there anyway to validate the webhook is in fact coming from Webflow?


Here is my site Read-Only: LINK
(how to share your site Read-Only link)

1 Like

Two years later, looking for this same answer. I want to verify that the webhooks are valid so nobody can abuse my endpoints. Stripe does this really well with signatures on their endpoints (Check the webhook signatures | Stripe Documentation). Are there any updates here? I can’t implement these webhooks if I know they can be abused.

1 Like

Security through obscurity is the only option with webflow webhooks at this time.

Why don’t the Webflow Webhooks include origin in their headers? That’s the standard practice for CORS.

@Will_Matz the best solution I can think of is to use your server middleware to check for your site(s) ID in the form submissions payload, and reject the request if it doesn’t match.

e.g. if the form submit payload from Webflow is:
{"name":"newsletter-form","site":"3981216395","data":...

in your (req, res) => handler function, when you’re already checking for allowed origin(s), add an exception for requests whose body contains the correct Site ID.

Is it possible to get form data by _id from that webhook payload?

In case someone else stumbles on this – webflow now offers webhook signatures to address this problem.

Somewhat awkardly, at the moment (October 2022) the signature header field is not set for webhooks that are created via a site’s dashboard, which is the easiest one-off setup process. Instead, one needs to create a webflow OAuth app, grant it access to your own site using the oauth redirect flow, and then use the OAuth app to create the webhook via API.

1 Like

Well that’s interesting, thanks for sharing @brahn.

Looks great for app developers but not very realistic for just glueing together some functionality with other platforms from your Webflow project. A step in the right direction none-the-less!

I can’t find this anywhere now - November 2022

Ah… they just moved things around since then. Here’s the new link: Verifying Requests (hard to find now)

1 Like

Thank you, good sir! Now to figure out the app creation

Hey @brahn and @gal-noba!

Hope you are both doing well! Merry Christmas and Happy Holidays :grinning:

We just wanted to let you know that our free tool here now lets you generate webhooks for your Webflow site through an OAuth connection. Additionally, you can attach a webhook to a specific form as well by inputting the form name. That way, your webhook is only fired for that particular form, as opposed to whenever any form is submitted on your site.

Please let us know if you have any questions! Don’t hesitate to reach out via email or through our Intercom messenger.