Protect public webhooks with Ainoflow Guard rate limiting

Name: Protect public webhooks with Ainoflow Guard rate limiting
Availability: InStock
Author: Dmitrij Zykovic

Open on n8n.io

$20/month : Unlimited workflows

2500 executions/month

Try free

THE #1 IN WEB SCRAPING

Scrape any website without limits

Try free

HOSTINGER

Early Deal
DISCOUNT 20%

Self-hosted n8n

Unlimited workflows - from $4.99/mo

Try free

#1 hub for scraping, AI & automation

6000+ actors - $5 credits/mo

Try free

Overview

Webhook Rate Limiter (Ainoflow Guard)

Stop webhook flooding before it starts. Add production-grade rate limiting to any n8n webhook in minutes - reject abusive traffic before expensive workflow logic executes.

✨ Key Features

⚡ Edge-style decisions - Allow/deny checked before any business logic runs
🛡️ Burst protection - Configurable limits (requests per time window)
🔄 Stateless - No queues, databases, or counters needed in n8n
📡 Proxy-aware - Correct IP extraction behind Cloudflare, nginx, load balancers
🔑 Dual identity modes - Rate limit by IP address or API key
⏱️ Retry-After headers - Proper 429 responses with retry guidance
💥 Fail-open - Guard outage doesn't block your production traffic
🔧 Auto-setup - Guard policy auto-creates on first request

🎯 How It Works

Webhook receives POST request
Identity extracted from headers:

API key (x-api-key) → per-client limiting
Client IP (X-Forwarded-For / x-real-ip) → per-IP limiting

Guard decides allow or deny:

POST /api/v1/guard/{route:identity}/counter
Checks against configured rate limit policy

Allowed → your business logic executes → 200 OK
Denied → immediate 429 Too Many Requests + Retry-After header

Client → Webhook → Identity → Guard → Allowed? → Business Logic → 200 OK
 ↓ NO
 429 + Retry-After

🔧 Setup Requirements

Ainoflow - Sign up free for Guard API access. Free plan available.

That's it. One credential, one API.

⚡ Quick Start

1. Import workflow and set Ainoflow Bearer credential on `GuardCheck` node

2. Edit `Config` node with your limits:

Variable	Default	Description
`rate_limit`	`30`	Max requests per window
`window_sec`	`60`	Window in seconds
`identity_mode`	`ip`	`ip` or `apiKey`
`route_name`	`webhook`	Endpoint name

3. Replace `BusinessLogic` node with your workflow

Access original request:

const body = $('Webhook').first().json.body;
const headers = $('Webhook').first().json.headers;

4. Activate and test

🧪 Testing

Burst Test

Bash (Linux/macOS):

for i in {1..50}; do
 curl -s -o /dev/null -w "%{http_code}\n" \
 -X POST https://your-n8n.com/webhook/rate-limited-endpoint \
 -H "Content-Type: application/json" \
 -d '{"test": true}'
done

PowerShell (Windows):

1..50 | ForEach-Object {
 (Invoke-WebRequest -Uri "https://your-n8n.com/webhook/rate-limited-endpoint" -Method POST -Body '{"test":true}' -ContentType "application/json" -UseBasicParsing).StatusCode
}

Expected: First 30 → 200, remaining → 429

Proxy Test

curl -H "X-Forwarded-For: 1.2.3.4, 5.6.7.8" \
 -X POST https://your-n8n.com/webhook/rate-limited-endpoint

Identity key should use 1.2.3.4 (first IP from chain).

💬 Response Examples

Allowed (200 OK)

{
 "ok": true,
 "data": { "message": "Request processed successfully" }
}

Denied (429 Too Many Requests)

Headers: Retry-After: 17

{
 "ok": false,
 "error": "rate_limited",
 "retryAfter": 17
}

🏗️ Workflow Architecture

Section	Nodes	Description
Rate Limit Check	Webhook → Config → BuildIdentity → GuardCheck → IfAllowed	Extract identity, check Guard
Allowed Path	BusinessLogic → RespondOk	Your logic + 200 response
Denied Path	BuildDeniedResponse → RespondRateLimited	429 + Retry-After

Total: 9 nodes. Minimal by design.

🔒 What This Protects Against

✅ Webhook flooding - bot traffic, retry storms hitting your endpoint
✅ Credit burn - one runaway loop = €500+ OpenAI/Twilio bill overnight
✅ Automation overload - uncontrolled DB writes, external API hammering
✅ Accidental loops - webhook chains triggering each other endlessly

❌ What This Does NOT Replace

Cloudflare / WAF (network-level protection)
Bot detection (behavioral analysis)
Layer 3/4 DDoS mitigation
Authentication (who is the user?)

Guard handles application-level rate decisions, not network security.

🔑 Identity Modes

IP Mode (default)

Best for public webhooks where clients don't have API keys.

X-Forwarded-For: 1.2.3.4, 5.6.7.8 → identity = "1.2.3.4"
x-real-ip: 10.0.0.1 → identity = "10.0.0.1"

⚠️ IP addresses can be shared (NAT, mobile carriers, offices).

API Key Mode

Best for authenticated endpoints with per-client keys.

x-api-key: client_abc123 → identity = "client_abc123"

Falls back to IP if header is missing.

🛠️ Customization

Rate Limit Presets

Use Case	rate_limit	window_sec	Result
Burst protection	30	60	30/min
API rate limiting	100	3600	100/hour
LLM cost protection	10	60	10/min
Daily limit	1000	86400	1000/day

Multiple Endpoints

Use different route_name values to create separate rate limits:

Config A: route_name = "orders" → key = "orders:1.2.3.4"
Config B: route_name = "payments" → key = "payments:1.2.3.4"

Each route has independent counters.

Fail-Open vs Fail-Closed

Default: Fail-open - Guard API uses failOpen=true, so Guard outage doesn't block traffic.

To switch to fail-closed: change failOpen query parameter to false in GuardCheck node.

Combine with Shield (Dedup Protection)

Getting duplicate webhook deliveries? Add Ainoflow Shield before your business logic - one trigger, one execution, guaranteed. Guard + Shield = rate limiting + deduplication on the same endpoint.

⚠️ Important Notes

Guard policy auto-creates on first request with rateMax/rateWindow parameters
allowPolicyOverwrite=true is set for easy demo/testing - Config node values always apply. Production: set to false in GuardCheck query params to lock policy and prevent hidden config drift
Denied requests not counted - only successful requests increment the counter
Window resets atomically - no gradual decay, clean reset every N seconds
No state in n8n - all rate limiting state lives in Guard API
5-second timeout - GuardCheck has 5s timeout to prevent blocking

💼 Need Customization?

Want to add temporary bans, cost protection mode, multi-tier rate limiting, or per-client usage dashboards?

Ainova Systems - We build custom AI automation infrastructure and safety layers for production workflows.

Tags: webhook, rate-limiting, security, guard, burst-protection, api-protection, ainoflow, production, webhook-security, cost-control

Dmitrij Zykovic

3 workflows

Complexity

advanced

Published 18 Feb 2026

Likes 0

View on n8n.io Download Workflow

Install path: /data/workflows/13491/13491.json

Share Your Workflow

Have a useful automation to share? Publish it and help the community.

Submit Your Template How to Submit

Related Workflows

Orchestrate multi-agent compliance monitoring and audit logging with GPT-4o and Slack

## How It Works This workflow automates enterprise compliance governance using a multi-agent AI architecture. It targets compliance officers, legal teams, and risk managers who need continuous, jurisdiction-aware monitoring without manual intervention.The workflow runs on two paths: a scheduled governance check and an event-driven compliance signal receiver. Both converge on a central Governance Agent that orchestrates four specialised sub-agents, Compliance Signal, Jurisdiction Analysis, Remediation Planning, and Audit Documentation, each backed by dedicated AI models. External tools handle API lookups, penalty calculations, escalation notifications, and structured output parsing. Results feed into immutable audit logs, merged with scheduled reports, and dispatched as a daily email summary. Escalation logic ensures critical violations trigger immediate alerts. This eliminates fragmented compliance tracking, reduces human error, and provides auditable, timestamped records across multiple regulatory jurisdictions. ## Setup Steps 1. Add Claude/OpenAI credentials to all Chat Model nodes. 2. Configure the External Compliance API Tool with your regulatory API key and endpoint. 3. Set the Compliance Data Calculation Tool parameters (jurisdiction codes, penalty thresholds). 4. Connect the Escalation Notification Tool to your email or Slack credentials. 5. Set the Periodic Compliance Check schedule (cron) to your audit cadence. ## Prerequisites - External compliance/regulatory API access - Email or Slack account for notifications - n8n instance (v1.40+ recommended) ## Use Cases - Automated GDPR/MAS/SOX compliance monitoring across jurisdictions ## Customization Swap AI models per agent for cost optimisation. ## Benefits Eliminates manual compliance checks with autonomous multi-agent orchestration.

View

Detect WooCommerce order fraud and send alerts to Slack

# WooCommerce Fraud Detection & Slack Alert Workflow This workflow automatically monitors WooCommerce orders, evaluates them for fraud using multiple checks (address mismatch, high-value orders, suspicious emails, admin orders), calculates a fraud score and sends alerts to Slack when risk is detected. ### Quick Implementation Steps 1. Import the workflow JSON into n8n 2. Configure WooCommerce API credentials 3. Set up Slack API credentials and channel 4. Adjust fraud rules (amount threshold, email regex, etc.) 5. Test with sample order data 6. Activate the workflow ## What It Does This workflow automates fraud detection for WooCommerce orders by applying multiple validation checks and assigning a fraud score. It starts with scheduled execution, fetches order data and prepares it for evaluation by extracting key details such as billing information, order value and customer email. Once the data is prepared, the workflow applies a series of fraud detection rules. These include checking whether billing and shipping details mismatch, identifying high-value orders, detecting suspicious or disposable email addresses and verifying if the order was created by an admin. Each condition contributes to a fraud score based on predefined logic. Finally, all signals are merged and a fraud score is calculated. If the score crosses the defined threshold, a detailed alert is sent to a Slack channel with complete order and risk information, enabling quick manual review and action. ## Who’s It For - eCommerce store owners using WooCommerce - Fraud prevention and risk management teams - Operations teams handling order validation - Developers building automation workflows in n8n - Businesses wanting real-time fraud alerts in Slack ## Requirements to Use This Workflow - n8n instance (self-hosted or cloud) - WooCommerce store with API access enabled - WooCommerce API credentials configured in n8n - Slack workspace with API credentials - Slack channel ID for sending alerts - Basic understanding of n8n nodes and workflows ## How It Works & Set Up ### Setup Instructions 1. Import the workflow JSON into your n8n workspace 2. Configure the **Schedule Trigger** node to define execution frequency 3. Set up the **WooCommerce node**: - Add API credentials - Ensure correct store URL - Modify `orderId` if needed 4. Configure **Slack node**: - Connect Slack API credentials - Select or update the target channel 5. Review **Set nodes**: - Ensure fields like email, total and address are correctly mapped 6. Validate **IF conditions**: - Status check (pending/processing) - Address mismatch logic - High-value threshold (default: 500) - Email regex for disposable domains 7. Review **Code node** logic: - Fraud score calculation rules - Adjust scoring weights if needed 8. Test the workflow: - Use sample order data - Verify Slack alert output 9. Activate the workflow for automatic execution ## How To Customize Nodes - **Check High Value (>500)** Modify the threshold value to match your business needs - **Detect Disposable Email** Update regex pattern to include more domains - **Calculate Fraud Score (Code Node)** Adjust scoring logic: ```js if ($json.high_value_order) score += 3; ``` - **Fraud Threshold Check** Change minimum score required to trigger alerts - **Slack Message Node** Customize alert message format and included fields ## Add-ons (Enhancements) - Store fraud results in a database (MySQL, MongoDB, etc.) - Automatically cancel or hold suspicious orders via WooCommerce API - Send email alerts in addition to Slack notifications - Add IP geolocation checks for advanced fraud detection - Integrate with third-party fraud detection APIs - Add risk categorization (Low / Medium / High) ## Use Case Examples - Detect high-value fraudulent orders before fulfillment - Identify mismatched shipping addresses for manual review - Flag orders using disposable or temporary email addresses - Monitor admin-created orders to reduce internal misuse risk - Real-time fraud alerts for operations teams via Slack > There can be many more use cases depending on how you extend and customize this workflow. ## Troubleshooting Guide | Issue | Possible Cause | Solution | | --------------------------- | ------------------------------------- | -------------------------------------------- | | No orders fetched | Incorrect WooCommerce credentials | Verify API keys and store URL | | Slack message not sent | Wrong Slack credentials or channel ID | Reconnect Slack and check channel | | Fraud score always 0 | Conditions not triggering | Verify IF node logic and data mapping | | Email detection not working | Regex not matching | Update regex pattern | | Workflow not running | Schedule trigger not configured | Set interval correctly and activate workflow | ## Need Help? If you need assistance setting up this workflow, customizing fraud rules or adding advanced features, our [n8n workflow development team](https://www.weblineindia.com/hire-n8n-developers/) at **WeblineIndia** is here to help. We can help you: - Customize this workflow for your business needs - Integrate with external systems and APIs - Build advanced fraud detection logic - Create fully automated eCommerce workflows 👉 [Reach out to WeblineIndia](https://www.weblineindia.com/contact-us.html) for expert support and tailored automation solutions.

View

Secure AI agent webhook with HMAC, replay protection, and OpenAI GPT-5

## **⚠️ Disclaimer:** > I am **not a cybersecurity expert**. This workflow was built through research and with the assistance of an LLM (Claude Opus 4.6). While it implements well-established security patterns (HMAC-SHA256, timing-safe comparison, replay protection, strict payload validation), please review the logic carefully and ensure it meets your own security requirements before deploying it in production. ## Who is this for? This template is for anyone exposing an n8n workflow via webhook and wanting to ensure that only authenticated, untampered requests are processed. ## What problem does this solve? Public webhooks are vulnerable by default. Without proper verification, anyone who discovers your URL can send forged requests, replay old ones, or inject unexpected parameters. While n8n's built-in Webhook authentication modes (Basic Auth, Header Auth, JWT) verify who is calling, they don't verify that the payload hasn't been altered, that the request is fresh, or that the data structure matches what you expect. This template adds those missing layers: - **Authentication** — Verifies the sender's identity through HMAC-SHA256 signature validation - **Integrity** — Ensures the payload hasn't been modified by signing the raw body byte-for-byte - **Replay protection** — Rejects requests with expired timestamps (configurable, default: 5 minutes) - **Payload sanitization** — Strict whitelist filtering blocks unauthorized fields before they reach your logic ## What this workflow does The workflow chains six security layers before any business logic runs: 1. **Webhook** receives the request with Header Auth + Raw Body enabled to preserve the original payload 2. **Extract rawBody** (Code node) decodes the binary into a UTF-8 string and extracts the security headers 3. **Crypto** computes the HMAC-SHA256 signature of `{timestamp}.{rawBody}` using your HMAC secret 4. **Timing-Safe HMAC Check** (Code node) validates the timestamp freshness and compares signatures using `crypto.timingSafeEqual()` 5. **Strict Payload Validation** (Code node) parses the JSON, checks required fields, and rejects any unexpected keys 6. **AI Agent** processes the prompt only after all checks pass Invalid requests are immediately rejected with `403 Forbidden` (signature/timestamp failure) or `400 Bad Request` (payload validation failure), with no response body to avoid leaking internal logic. ## Example use case The included example protects an AI Agent endpoint that expects a simple `{"prompt": "..."}` payload. But this is just a **starting point** — replace the AI Agent with any node and adapt the payload validation to your own schema. **Common adaptations:** * CRM or SaaS event callbacks * CRUD operations on a database * Third-party API integrations ## Setup ### Prerequisites - An n8n instance (Cloud or Self-hosted) - A shared HMAC secret between the sender and this workflow — **keep it safe and never expose it in workflow logs or execution data** ## Going further This workflow is a solid starting point — it's more secure than a raw exposed webhook. However, it focuses on application-level security (authentication, integrity, replay protection, payload sanitization). For a production-grade setup, consider adding layers at the **infrastructure level** : - **Rate limiting** - **IP whitelisting** - **Reverse proxy hardening**

View

Need Custom Automation?

Get help designing a custom n8n workflow that connects your stack and fits your process.

Protect public webhooks with Ainoflow Guard rate limiting

Workflow preview

Overview

Webhook Rate Limiter (Ainoflow Guard)

✨ Key Features

🎯 How It Works

🔧 Setup Requirements

⚡ Quick Start

1. Import workflow and set Ainoflow Bearer credential on GuardCheck node

2. Edit Config node with your limits:

3. Replace BusinessLogic node with your workflow

4. Activate and test

🧪 Testing

Burst Test

Proxy Test

💬 Response Examples

Allowed (200 OK)

Denied (429 Too Many Requests)

🏗️ Workflow Architecture

🔒 What This Protects Against

❌ What This Does NOT Replace

🔑 Identity Modes

IP Mode (default)

API Key Mode

🛠️ Customization

Rate Limit Presets

Multiple Endpoints

Fail-Open vs Fail-Closed

Combine with Shield (Dedup Protection)

⚠️ Important Notes

💼 Need Customization?

1. Import workflow and set Ainoflow Bearer credential on `GuardCheck` node

2. Edit `Config` node with your limits:

3. Replace `BusinessLogic` node with your workflow