Skip to main content

Security Best Practices for n8n

Access Controls

Enforce strong admin credentials and MFA via your IdP
Restrict public access; expose only webhook endpoints

Secrets Management

Store credentials encrypted; rotate N8N_ENCRYPTION_KEY
Avoid hardcoding secrets; use environment variables or vault integrations

Webhook Safety

Validate signatures on inbound requests when supported
Rate‑limit and WAF protect public endpoints

Supply Chain & Runtime

Pin images; verify digests and changelogs
Run as non‑root; set resource limits; isolate tenants when needed

Logging & Compliance

Redact sensitive fields; audit admin actions and credential changes

Access Controls
Secrets Management
Webhook Safety
Supply Chain & Runtime
Logging & Compliance