n8n Security Hardening Guide

Self-hosting n8n means you own the infrastructure. That ownership includes every attack vector. A misconfigured instance exposes every API key, OAuth token, and client record flowing through your automation layer.

This guide walks you through the exact configuration steps to lock down n8n before you connect it to production systems. Skip any step and you're running an open relay for credential theft.

Your VPS ships with permissive defaults. Fix that first.

Configure Firewall Rules

On DigitalOcean, AWS, or Azure:

1. Navigate to your cloud provider's firewall console (Security Groups on AWS, Firewall on DigitalOcean).
2. Delete any rule allowing inbound traffic from 0.0.0.0/0 on all ports.
3. Create these three rules only:

Port 22 (SSH):

• Source: Your firm's static IP address or VPN gateway IP
• Protocol: TCP
• Action: Allow

Port 443 (HTTPS):

• Source: 0.0.0.0/0 (required for webhook

  webhook

  Click to read the full definition in our AI & Automation Glossary.

  receivers)
• Protocol: TCP
• Action: Allow

Port 5678 (n8n default):

• Action: Block from all external sources

If you're using UFW on Ubuntu, run these commands:

ufw default deny incoming
ufw allow from YOUR_OFFICE_IP to any port 22
ufw allow 443/tcp
ufw deny 5678/tcp
ufw enable

Replace YOUR_OFFICE_IP with your actual static IP. If you don't have one, set up a WireGuard VPN and whitelist only that gateway address.

Why Port 5678 Must Stay Closed

n8n's internal web server runs on Port 5678 by default. If you expose this directly to the internet, attackers can bypass your reverse proxy, SSL termination, and any authentication layer you've configured. Always route external traffic through Port 443 to a hardened reverse proxy.

Transmitting API

keys over HTTP is malpractice. Configure SSL before you build a single workflow.

Install and Configure Caddy

Caddy handles SSL certificate provisioning automatically. Install it:

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/caddy-stable-archive-keyring.gpg] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main" | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

Create /etc/caddy/Caddyfile:

automation.yourfirm.com {
    reverse_proxy localhost:5678
    encode gzip
}

Replace automation.yourfirm.com with your actual subdomain. Restart Caddy:

sudo systemctl restart caddy

Caddy will automatically request a Let's Encrypt certificate for your domain. Verify it worked by visiting https://automation.yourfirm.com in a browser. You should see the n8n login screen with a valid SSL certificate.

Update n8n Environment Variables

Edit your .env file or docker-compose.yml:

WEBHOOK_URL=https://automation.yourfirm.com
N8N_PROTOCOL=https
N8N_HOST=automation.yourfirm.com

Restart n8n. All webhook URLs generated by n8n will now use HTTPS.

n8n ships with no authentication enabled. Fix that immediately.

Basic Authentication (Minimum Viable Security)

If you're running the community edition without user management, enable basic auth:

N8N_BASIC_AUTH_ACTIVE=true
N8N_BASIC_AUTH_USER=admin
N8N_BASIC_AUTH_PASSWORD=USE_A_REAL_PASSWORD_HERE

Generate a strong password using your password manager. This creates a single shared credential for accessing the n8n interface.

Limitation: Everyone on your team shares one password. When someone leaves, you must change it and redistribute to the entire team.

SSO Integration (Production Standard)

If you're on n8n Enterprise or Cloud, configure SAML or OIDC:

For Google Workspace:

1. In n8n, go to Settings → SSO.
2. Select SAML 2.0.
3. Copy the ACS URL and Entity ID.
4. In Google Admin Console, create a new SAML app.
5. Paste the ACS URL and Entity ID from n8n.
6. Download the Google IdP metadata XML.
7. Upload it to n8n's SSO configuration.
8. Enable "Just-in-Time Provisioning" so new users are created automatically on first login.

For Microsoft Entra ID (Azure AD):

1. In Azure Portal, navigate to Enterprise Applications.
2. Create a new application and select SAML.
3. Configure the Reply URL to match n8n's ACS URL.
4. Set the Identifier to n8n's Entity ID.
5. Download the Federation Metadata XML.
6. Upload it to n8n's SSO settings.

Critical: Enable SCIM provisioning if your identity provider supports it. When you offboard an employee in Google Workspace or Azure AD, their n8n access terminates instantly. Without SCIM, you must manually disable their account in n8n.

n8n stores OAuth tokens, API

keys, and database passwords in PostgreSQL. These are encrypted using a master key.

Generate and Store the Encryption Key

Run this command on your server:

openssl rand -base64 32

Copy the output. Add it to your .env file:

N8N_ENCRYPTION_KEY=YOUR_GENERATED_KEY_HERE

Store this key in three places:

1. Your production .env file on the server
2. Your team's shared 1Password vault (create a Secure Note)
3. Your disaster recovery documentation

If you lose this key, every connected account in n8n becomes permanently inaccessible. You cannot decrypt credentials without it. Rebuilding your server without this exact string means manually reconnecting every integration.

Rotate the Key Annually

Set a calendar reminder to rotate this key every 12 months:

1. Generate a new key using the same openssl command.
2. Update N8N_ENCRYPTION_KEY in your .env file.
3. Restart n8n.
4. Reconnect all credentials (n8n cannot automatically re-encrypt with the new key).

Every webhook

URL n8n generates is technically public. Anyone with the URL can send data to your workflow.

Use Randomized Webhook

Webhook

Click to read the full definition in our AI & Automation Glossary.

Paths

When you add a Webhook

node to a workflow, n8n generates a URL like:

https://automation.yourfirm.com/webhook/a7f3c9e1-4b2d-4e8f-9c3a-1d5e7f9b2c4a

Never change this to something predictable like /webhook/docusign-intake. The UUID provides security through obscurity. It's not perfect, but it raises the bar.

Require Authentication Headers

Configure your Webhook

node to validate incoming requests:

1. Open the Webhook

   Webhook

   Click to read the full definition in our AI & Automation Glossary.

   node in your workflow.
2. Under "Authentication", select "Header Auth".
3. Set Header Name to X-Webhook-Secret.
4. Generate a random string (use openssl rand -hex 16).
5. Paste it into the "Header Value" field.

Now configure the sending system (DocuSign, Salesforce, etc.) to include this header:

X-Webhook-Secret: your_random_string_here

Any request without the correct header gets rejected before your workflow executes.

IP Whitelisting for Known Senders

If your webhook

sender publishes their IP ranges (Salesforce does), add firewall rules to only accept traffic from those IPs on Port 443.

For Salesforce webhooks

, whitelist these CIDR blocks in your cloud firewall:

13.108.0.0/14
13.110.0.0/15

Check your sender's documentation for their current IP ranges. Update your firewall rules when they publish changes.

n8n logs every workflow execution by default. That means client names, email addresses, and CRM

record IDs sit in your database indefinitely.

Configure Automatic Pruning

Add these variables to your .env file:

EXECUTIONS_DATA_SAVE_ON_SUCCESS=none
EXECUTIONS_DATA_SAVE_ON_ERROR=all
EXECUTIONS_DATA_PRUNE=true
EXECUTIONS_DATA_MAX_AGE=168

What this does:

• Successful executions: Data deleted immediately after completion
• Failed executions: Data retained for 7 days (168 hours) so you can debug
• Automatic pruning: Runs daily to enforce the 7-day limit

If you need to retain execution data for compliance reasons, set EXECUTIONS_DATA_SAVE_ON_SUCCESS=all and increase EXECUTIONS_DATA_MAX_AGE to match your retention policy (e.g., 2190 hours for 90 days).

Manual Purge Command

To immediately delete all execution history:

docker exec -it n8n n8n execute --prune

Run this before connecting n8n to production systems if you've been testing with real client data.

If you're using PostgreSQL (recommended over SQLite for production), restrict database access.

PostgreSQL Configuration

Edit /etc/postgresql/14/main/pg_hba.conf:

# Only allow connections from localhost
host    n8n_db    n8n_user    127.0.0.1/32    scram-sha-256

Restart PostgreSQL:

sudo systemctl restart postgresql

This prevents remote database connections. n8n must run on the same server as PostgreSQL.

Use Strong Database Passwords

Generate a 32-character random password for your n8n database user:

openssl rand -base64 32

Update your docker-compose.yml:

environment:
  DB_TYPE: postgresdb
  DB_POSTGRESDB_HOST: localhost
  DB_POSTGRESDB_PORT: 5432
  DB_POSTGRESDB_DATABASE: n8n_db
  DB_POSTGRESDB_USER: n8n_user
  DB_POSTGRESDB_PASSWORD: YOUR_GENERATED_PASSWORD

Track who accesses n8n and what they change.

Configure Audit Logs (Enterprise Only)

In n8n Enterprise, enable audit logging:

N8N_AUDIT_ENABLED=true
N8N_AUDIT_LOG_LOCATION=/var/log/n8n/audit.log

Create the log directory:

sudo mkdir -p /var/log/n8n
sudo chown 1000:1000 /var/log/n8n

Audit logs capture:

• User login attempts (successful and failed)
• Workflow modifications
• Credential access
• Execution triggers

Ship these logs to your SIEM or log aggregation platform (Datadog, Splunk, etc.) for centralized monitoring.

n8n releases security patches regularly. Automate updates or set a monthly maintenance window.

Update Process

1. Back up your PostgreSQL database:

pg_dump n8n_db > n8n_backup_$(date +%Y%m%d).sql

2. Pull the latest n8n Docker image:

docker pull n8nio/n8n:latest

3. Restart your container:

docker-compose down
docker-compose up -d

4. Verify the update:

docker logs n8n

Subscribe to n8n's security mailing list at n8n.io to receive notifications about critical vulnerabilities.

Before processing live client data, verify:

• [ ] Firewall blocks Port 5678 from external access
• [ ] SSH restricted to your office IP or VPN
• [ ] SSL certificate valid and auto-renewing
• [ ] Basic auth or SSO enabled
• [ ] Encryption key generated and backed up
• [ ] Webhook

  Webhook

  Click to read the full definition in our AI & Automation Glossary.

  authentication configured
• [ ] Execution data pruning enabled
• [ ] PostgreSQL access restricted to localhost
• [ ] Audit logging enabled (if Enterprise)
• [ ] Update schedule documented

Run through this checklist quarterly. Security configurations drift over time as team members make changes or install updates.