1. How does n8n encrypt credentials and what is N8N_ENCRYPTION_KEY?
N8N_ENCRYPTION_KEY environment variable. If you lose this key, encrypted credentials become irrecoverable. Set the same key across all main and worker containers.
n8n applies symmetric encryption before storing credentials in the database. The algorithm is AES‑256‑CBC (Advanced Encryption Standard with 256‑bit key and Cipher Block Chaining). The N8N_ENCRYPTION_KEY variable supplies the master key. If not provided, n8n auto‑generates a key and saves it in /home/node/.n8n/config. However, for distributed deployments (queue mode), every node must share the same explicitly defined key.
N8N_ENCRYPTION_KEY together with database dumps. Without the original key, even a full database backup will not restore credentials. Store the key in a secrets manager (Bitwarden, HashiCorp Vault, or encrypted offline storage).
Example of setting the key in Docker Compose:
environment:
- N8N_ENCRYPTION_KEY=your-strong-64-character-hex-or-base64-key
Generate a secure key using: openssl rand -hex 32. For production, rotate keys by decrypting and re‑encrypting credentials (requires custom scripting). For more details, refer to the official credential encryption guide.
2. How do you enable basic authentication for self‑hosted n8n?
N8N_BASIC_AUTH_ACTIVE=true, N8N_BASIC_AUTH_USER, and N8N_BASIC_AUTH_PASSWORD. This adds a simple HTTP basic auth layer before the n8n interface. For newer n8n versions (1.0+), the built‑in user management with email/password is preferred, but basic auth still works as an additional firewall.
Basic authentication is handled by n8n itself, not by the reverse proxy. It prompts for credentials before loading the editor UI. This is useful for small teams or when you cannot use OAuth/SAML. However, it does not offer per‑user roles or session management.
Example Docker environment:
environment:
- N8N_BASIC_AUTH_ACTIVE=true
- N8N_BASIC_AUTH_USER=admin
- N8N_BASIC_AUTH_PASSWORD=strongpassword
After setting these variables, restart n8n. Accessing the editor will now require the user and password. The built‑in user management (available from version 1.0) provides separate owner and member roles, which is more suitable for team use. See the user management documentation for details.
3. How do you configure SAML or OIDC SSO for n8n Enterprise?
Enterprise SSO replaces the default email/password login. n8n acts as a service provider (SP). You provide the IdP metadata URL or XML, map user attributes (email, first name, last name), and configure certificate validation. After enabling SSO, users can still log in with local credentials if you allow fallback.
~/.n8n/config or environment variables N8N_SAML_*.
SAML setup involves:
- Setting
N8N_SAML_ENABLED=trueandN8N_SAML_ENTITY_ID - Providing IdP metadata URL via
N8N_SAML_METADATA_URLor file path - Optionally mapping attributes with
N8N_SAML_ATTRIBUTE_MAPPING_EMAIL
For OIDC, use N8N_OIDC_ENABLED=true and configure discovery URL, client ID, and client secret. Full setup examples are in the Enterprise SSO documentation.
4. How do you verify incoming webhook signatures (HMAC) in n8n?
X-Hub-Signature-256 header against a computed HMAC‑SHA256 digest. Reject requests that don’t match.
HMAC verification prevents forged webhook calls. Many services (GitHub, Stripe, SendGrid) include a signature header. n8n calculates the HMAC using the request body and your secret, then compares it with the header. If they differ, n8n returns a 401 Unauthorized and does not execute the workflow.
To enable:
- Add a Webhook trigger node to your workflow.
- In node parameters, set “Authentication” to “HMAC”.
- Enter the shared secret (same as the sender’s).
- Choose the algorithm (default SHA256).
Example: For GitHub webhooks, n8n expects the X-Hub-Signature-256 header. Configure the same secret in GitHub’s webhook settings and in n8n’s HMAC field. The node then validates every incoming delivery. See the webhook HMAC guide for more.
5. Why does n8n self‑hosted require a reverse proxy for HTTPS?
Without a reverse proxy, all traffic between clients and n8n is unencrypted, exposing credentials, webhook payloads, and API tokens. A modern reverse proxy also adds security headers, rate limiting, and access logs. Additionally, n8n needs N8N_PROTOCOL=https and N8N_HOST to generate correct webhook URLs.
Minimal Nginx configuration for n8n:
server {
listen 443 ssl http2;
server_name n8n.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/n8n/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/n8n/privkey.pem;
location / {
proxy_pass http://localhost:5678;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
With Caddy, HTTPS is automatic:
n8n.yourdomain.com {
reverse_proxy n8n:5678
}
Always set N8N_PROTOCOL=https inside the n8n container. For full reverse proxy examples, see the official proxy documentation.
6. How can you restrict n8n access by IP address?
allow/deny directives) or using cloud firewall rules (security groups). This is especially useful for webhook endpoints that should only accept traffic from specific services.
For Nginx, add allow and deny all directives inside the location block:
location /webhook/ {
allow 192.168.1.0/24;
allow 203.0.113.5;
deny all;
proxy_pass http://n8n:5678;
}
This blocks all IPs except those listed. For cloud deployments (AWS, DigitalOcean, Google Cloud), use security group rules to restrict ingress port 443 to specific IP ranges. For webhook endpoints that must be public (e.g., GitHub or Stripe), consider HMAC verification instead of IP allowlisting because provider IPs may change.
/ UI to corporate VPN IPs) and HMAC + IP whitelist for webhooks. Never rely on obscurity; always use encryption and authentication.
7. Which environment variables improve n8n security?
N8N_ENCRYPTION_KEY (credential encryption), N8N_BASIC_AUTH_* (access control), N8N_USER_MANAGEMENT_JWT_SECRET (JWT signing), N8N_VERSION_NOTIFICATIONS_ENABLED=false (disable version check leakage), and N8N_SKIP_WEBHOOK_DANGEROUS_EMAIL_CHECK=false (email safety).
Other security‑related variables include:
N8N_METRICS=true→ exposes metrics endpoint; protect it with basic auth or firewall rules.N8N_METRICS_BASIC_AUTH_USER / PASSWORD→ add authentication to/metrics.N8N_EXECUTIONS_DATA_PRUNE=true→ automatically delete old execution logs to reduce database exposure.N8N_EXECUTIONS_DATA_MAX_AGE=168→ keep execution data for 168 hours (7 days).N8N_HIRING_BANNER_ENABLED=false→ removes unnecessary informational banner (minor hardening).
Review the full environment variables reference for details.
8. How do you keep n8n self‑hosted secure over time?
Security is a process, not a one‑time setup. Recommended ongoing actions:
- Update n8n at least every 4–6 weeks to get security patches. Follow the changelog.
- Monitor logs — set
N8N_LOG_LEVEL=infoordebugand forward logs to a central system (ELK, Loki). Look for repeated failed basic auth or webhook HMAC failures. - Automate vulnerability scanning of your Docker host and containers (e.g., Trivy, Grype).
- Back up the encryption key and test restore procedures quarterly.
- Use a secrets manager for environment variables in production (Docker secrets, HashiCorp Vault, or cloud secret stores).
docker inspect or review your Compose file to ensure no unnecessary ports are exposed, and verify that N8N_PROTOCOL=https is still set correctly after updates.
📖 Official references

