SEC-3: Webhook Authentication
Summary
SEC-3 focuses on Make.com scenarios and n8n workflows that can be triggered from public or external entry points. FlowBeacon uses this policy to highlight cases where inbound access may not be protected strongly enough for production use.
Severity: High · Category: Security · Platforms: Make.com, n8n
What FlowBeacon Reviews
- Whether inbound triggers appear to require an appropriate access check.
- Whether public-facing entry points are protected in a way that matches their risk.
- Whether externally triggered automations may accept traffic too broadly.
Why This Matters
- Unprotected inbound endpoints can allow unauthorized traffic or misuse.
- Strong entry controls reduce the risk of fake requests, noise, and downstream impact.
- Access protection at the boundary is a basic part of secure automation design.
If This Policy Is Flagged
- Review how the automation is triggered and who should be allowed to call it.
- Apply supported authentication or source restrictions that fit the use case.
- Confirm that unauthorized requests are rejected before the automation runs.
- Re-run the evaluation after inbound access is properly protected.
Why Users Care
- Users reduce exposure at one of the highest-risk points in an automation.
- Operations teams gain more confidence that only intended senders can trigger automations.
- Platform partners and consultants can align integrations with safer default expectations.