You built your first Make.com automation. A form on your website, a webhook catching the data, maybe some AI magic in between. It works. You are proud. You should be.
But here is a question most tutorials skip entirely: what happens when someone finds your webhook URL?
Because they can. And it is easier than you think.
Your Webhook URL Is Not a Secret
When you embed a contact form on your website and connect it to a Make.com webhook, the webhook URL lives in your HTML source code. Anyone with a browser can press F12, open the Network tab, submit the form, and see exactly where the data goes.
That URL is a direct line into your automation. No login required. No authentication. Just a POST request with whatever data someone wants to send.
For most small business automations, this is fine. The risk is low, the traffic is small, and nobody is targeting your lead qualification form. But “fine” is not the same as “safe,” and the moment your automation handles real client data or triggers paid API calls, the stakes change.
Table of Contents
What Can Actually Go Wrong
Cost explosion is the one that hits hardest. Imagine your workflow receives a form submission, sends it to OpenAI for analysis ($0.03), generates a PDF via an external API, and emails the result. Now imagine someone sends 5,000 fake submissions overnight. That is $150 in OpenAI costs alone, plus thousands of Make.com credits burned, plus your email sender reputation damaged from sending thousands of unwanted emails.
Data pollution is subtler but just as damaging. If your workflow logs everything to Google Sheets, fake submissions corrupt your data. Your lead scores become meaningless. Your reports are full of noise.
Prompt injection is the newest risk. If user input goes directly into an AI prompt, a malicious submission can manipulate what the AI generates. Instead of a professional quote, your system could send an email with content you never approved. None of these require a sophisticated attacker. A bored teenager with a script can do it.
The Good News: Basic Protection Is Easy
You do not need to become a security expert. A few practical steps cover 90% of the risk for small business automations.
1. Honeypot fields in your forms catch most automated bots. It is a hidden field that real users never see, but bots fill in automatically. If it has a value, the submission is fake. Simple, invisible to your visitors, and surprisingly effective.
2. Input validation inside your workflow stops garbage data before it triggers expensive modules. A Router with a filter that checks whether the email field contains an @ symbol and the message field has more than 10 characters costs zero extra credits and prevents most junk from reaching your AI module.
3. Cost limits on your API providers are the safety net that catches everything else. OpenAI lets you set a monthly budget cap. Make.com scenarios have execution limits. PDFShift’s free tier naturally caps at 50 conversions per month. Set these limits before you go live, not after you get the bill.
4. Webhook URL rotation is your emergency plan. If you suspect your URL has been shared or abused, you can create a new webhook in Make.com in 30 seconds. The old URL dies immediately. Update your form, and you are back in business.
What About GDPR?
If your forms collect personal data – names, emails, health information, financial details – and you have any clients in the EU, GDPR applies. This is not optional and it is not just for big companies.
The short version: tell people what data you collect and why, get their consent, do not store what you do not need, and know that when you send data through OpenAI’s API, you are sharing it with a third party. That last point needs to be in your privacy policy.
The long version is a topic of its own. But the automation-specific angle matters: every module in your workflow that touches personal data is a potential compliance point. Your Google Sheet, your email module, your AI prompt – they all handle data that someone trusted you with.
The Real Takeaway
Webhook security is not about building Fort Knox around your contact form. It is about knowing the risks, setting basic guardrails, and having a plan for when something goes sideways.
Three things to do today:
- Check whether your forms have spam protection (honeypot, CAPTCHA, or both)
- Set a monthly budget limit on your OpenAI account
- Add at least one validation filter in your Make.com workflow before any paid API call
That is twenty minutes of work that can save you hundreds of dollars and a lot of headaches.
I build Make.com automation kits for small businesses at La Maquina Studio. Every kit ships with built-in security features including honeypot forms, input validation patterns, and a detailed security setup guide. If webhook security keeps you up at night, the automation kits handle the hard parts for you.
Susana Toth
Make.com Certified Expert & Founder, La Maquina Studio
Susana Toth is a Make.com Certified Expert and the founder of La Maquina Studio, where she helps small businesses and consultants eliminate repetitive work through smart automation. With 20+ years of experience in web design, business consulting, and digital strategy, she builds practical AI-powered workflows that save hours every week — without writing a single line of code. She writes about Make.com automation, AI integration, and building systems that work while you don’t.
Learn more about me →