How to Secure Webhooks in a Non-Authenticated Softr App

Lev · January 21, 2025, 2:33pm

Hi everyone,

I’m working on a project and need some advice on securing a webhook in a non-authenticated app (essentially a smart form). Here’s the situation:

I’m using a custom code block to call a REST API (webhook) as a data source. The API returns data, which I then use in the custom code block.
Since my app doesn’t require user authentication, whitelisting Softr IPs to secure the webhook isn’t a viable option.
My concern is that exposing the webhook on the client side could lead to potential security issues.

My Goal

I want to make an API call from a custom code block to a webhook securely, ensuring the webhook isn’t exposed to unauthorized users or abuse. I already have the functionality working but want to implement best practices for security.

Questions

Are there other methods or best practices you’ve used to secure a webhook in a similar setup?
How can I avoid exposing sensitive information while still getting the data I need from the webhook?

Any insights or suggestions would be greatly appreciated. Thank you!

@Andranik Tagging you because you have been very helpful in the past.

Lev · January 21, 2025, 2:35pm

One idea was using custom code block to make an api call to use softr rest api as a data source. With softr white listed then using the data in the custom code block. Is this even possible?

Could we load the data from data source into a custom code block this would be the best solution? So softr is white listed making the api call. I have a hidden block on the page will all the data then the data is loaded in.

Why do I need to use a custom block. Because it allow me much more flexibility.

Lev · January 22, 2025, 2:51pm

@artur Would you have any idea?

Jjenglert · January 22, 2025, 3:07pm

Welcome back! You’ve already tagged the two people who may help, but I’ll add my advice here as well:

Any time you allow for an non-authenticated web hook to be called, you’re opening yourself up to a lot of “liability” and potential “run away” API costs.

I’d personally go away from this approach and figure out another way that you can either pre-fetch this data and save it in your DB, or another solution that doesn’t leave your app un-protected like this.

Another idea is maybe using a conditional form, and in the first step you ask for their email, and then you use the form to call the API so at the very least, you’re capturing an email and offering a “slow down” point so the endpoint isn’t spammed.

Hope this helps!

Lev · January 22, 2025, 3:31pm

Thanks for the answer I agree thats why I am trying to find a way to not do it.

Is there any way to use data from lets say a table or list block on the page within a custom code block?

Jjenglert · January 30, 2025, 1:46pm

I don’t believe so. It’s custom code so I am sure there is a way, but you’d have to hit an API call to fetch that data from your data source. I don’t think you can reuse the data being called from the other blocks.

Can I ask what kind of app you’re trying to make?

Lev · January 30, 2025, 3:38pm

I was able to figure out the code to access the block. But the block cannot be hidden which is an issue for me I made a separate inquiry about it.

artur · January 30, 2025, 4:19pm

@Lev the webhook you have is it a make or zapier one ? also is the block that uses the call public or for loggedin users only ?

Lev · January 30, 2025, 5:53pm

Public but in the future the who app will be login only but for now it is public since it is a first iteration.

Also it goes to MAKE. In make I created a tracker to not allow spam on the webhook only allowing a user to call it 3 times every minute.
@artur