Secured Webhook - WF Fusion

Question

Hello Everyone,

I am looking for some suggestions on the Securing Webhook topic in WF Fusion.
Below are the details

1. I tried to use the OOB Webhooks module to generate a Webhook, that will be used by a third party to POST Json objects.
2. I would like to consume this data & perform a mapping functionality, that'll be later used to create a Workfront object.

The Questions I have are as below,

1. How do I secure this webhook ? IP whitelisting would not work in my case as we are using ALB of GCP (i.e) Dynamic IP. Note: the reply on this post wasn't helpful because the user who posts the json doesn't have to be on WF.
2. Frame.io seems like a good alternative to webhooks, but does it come with an additional cost ?

Thanks in advance !

cverges · Accepted Answer

This is a known problem with how Fusion/Make.com deal with webhooks.  It has no way to, for example, allow JWT or OAuth 2.0 to allow for proper security.  If you know the webhook URL or the static header values in use, you can call it.  JWT would be much more proper in 2025+.  I'd suggest you file an Idea in the Workfront Fusion forum here.

Sven-iX · Answer

Hi @harishde
Not sure how Frame.io factors into securing webhooks, but you have 2 options:

IP whitelisting which doesn't work for you
an expected header value you check for
an expected query argument (or multiple) you check for

either way, it'll be one or more static strings you check.
Of course you could get crafty and create an "auth scenario" that expects a couple values (say a user email and a key) that you could store in a datastore, and if they match, you store a "session" variable along with that data store record. Then you return a 302 redirect to the actual scenario with the "session" in the URL, and the requesting app accesses the real scenario which does a check whether the session is valid.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded