n8n is a flexible, self‑hosted workflow automation platform used in on‑premise and private‑cloud environments. This pillar page maps the high‑level security considerations that security engineers, DevOps teams, and administrators need to evaluate. Detailed remediation lives in the linked child guides; this page provides the overall landscape and navigation.
Architecture & Primary Attack Surfaces
n8n’s core components—Web UI, API server, Database, and optional Docker/VM runtime—each expose distinct vectors:
- Default admin credentials
- Publicly reachable webhooks
- JWT authentication settings
- Role‑Based Access Control (RBAC)
Explore each vector:
Common Misconfigurations
Typical oversights that weaken a deployment:
- Plain‑text environment‑variable secrets
- Unencrypted HTTP traffic (TLS/SSL not enforced)
- Docker image defaults with excess capabilities
Deep‑dive resources:
Vulnerability Landscape
Community‑identified risk classes include:
- Database injection (SQL/NoSQL)
- Cross‑site scripting in custom code nodes
- Privilege escalation via crafted workflows
Read the analyses:
Production Hardening Overview
Container & Deployment Hardening
Adopt minimal base images, drop unnecessary Linux capabilities, and run as a non‑root user.
Network & API Protection
Implement rate limiting and restrict inbound ports to the minimum required.
Monitoring, Audit Logging & Incident Response
Centralise logs, forward to a SIEM, and set alerts for abnormal API activity.
Selecting the Appropriate Deep‑Dive
Your risk profile guides the order of investigation:
- Public webhooks → start with Protect n8n webhooks from exposure.
- Docker‑based deployment → prioritize Docker container security hardening and CI/CD pipeline security.
- Secrets stored in env vars → move to Prevent environment variable secret leakage and TLS/SSL configuration.
Each child guide includes a “When to use this guide” section for quick triage.
Security Practices
Authentication & Access
- Secure default credentials in n8n
- Avoid JWT authentication misconfiguration
- Common RBAC pitfalls and how to avoid them
Network & API Exposure
- Protect n8n webhooks from exposure
- API rate limiting and DoS protection for n8n
Secrets & Encryption
- Prevent environment variable secret leakage
- n8n TLS/SSL configuration for self‑hosted deployments
Container & Deployment Hardening
- Docker container security hardening for n8n
- CI/CD pipeline security checklist for n8n
- Backup and disaster recovery security for n8n
Database & Code Injection
- Database injection risks in n8n
- XSS vectors in custom n8n code
Third‑Party Nodes
- Security assessment of third‑party n8n nodes
Monitoring & Incident Response
- Audit logging and monitoring setup for n8n
- Security testing tools and methodologies for n8n
Advanced Attack Scenarios
- Preventing privilege escalation through workflows
Conclusion
This pillar outlines the security surface of a self‑hosted n8n installation and organizes the major hardening categories. Use the grouped child guides to dive deeper into the areas most relevant to your environment, ensuring a clear hierarchy for both users and search engines. Explore the linked guides to implement robust protections across authentication, network exposure, secret handling, container hardening, and ongoing monitoring.
