Enfocus Community

We use the default Webhook element in Switch for several different workflows. Some of these webhook endpoints are exposed to the internet through a proxy. Recently, we’ve run into scenarios where we need to tighten security on these endpoints to prevent spoofing, flooding attacks, and other vulnerabilities that come with publicly accessible URLs.

Is there any way to implement stronger security measures for Webhooks in Switch?

Specifically, we’re looking for support for features such as:

• Signature verification (e.g., HMAC-SHA256 using a shared client secret)
Ensures the payload was sent by a trusted source and has not been altered.

• IP allowlisting / restrictions
Limits access to approved IP ranges.

• Rate limiting / request throttling
Reduces the risk of DDoS or brute-force attacks.

• Token-based authentication (static bearer token or rotating token)
Requires a valid token to be included with each request.

• Replay-attack protection
Using timestamp + nonce validation to ensure each request is unique and recent.

• TLS enforcement & certificate validation
Guarantees encrypted transport and prevents downgrade attacks.

• Payload size limits
Prevents oversized requests intended to overload the server.

Or do we need to use a third party tool for this (webhookrelay.com or similar)?

As an external service I have tested SwitchMitter.

Unfortunately there have been some legacy network issues at our company, which is not easily fixed with the need to change A LOT of other stuff, which have prevented me from implementing it.

But they have the option to whitelist IPs and also store the request in case Switch or your network is down.

Switch Mitter is really easy to use and already covers quite a few of the security points you mentioned, with the only downside being that it’s not as fast as a direct Switch webhook.

If you need stronger protection on endpoints that are exposed to the internet, using a reverse proxy is usually the best option. Something like Nginx Proxy Manager can block common exploits, manage IP allowlists and blocklists, enforce TLS, handle rate limiting, and filter payload size before anything reaches Switch. Just keep in mind that some of the more advanced features (like rate limiting or custom rules) require a bit of tinkering in the advanced Nginx config.