n8n Security: Encryption, Authentication & HTTPS Hardening


🔐 n8n Security Hub
Encryption · Authentication · HTTPS · Webhook security · Enterprise SSO
n8n Security: Encryption, Authentication & HTTPS Hardening
Credential encryption | N8N_ENCRYPTION_KEY | Basic auth | SAML SSO | Webhook HMAC | Reverse proxy TLS
This guide covers everything you need to secure a self‑hosted n8n instance. Topics include AES‑256‑CBC credential encryption, master key management, basic authentication, SAML/OIDC single sign‑on, webhook signature verification, and mandatory HTTPS via reverse proxy. All recommendations are based on official n8n security documentation.

1. How does n8n encrypt credentials and what is N8N_ENCRYPTION_KEY?

n8n encrypts all credentials (API keys, OAuth tokens, passwords) using AES‑256‑CBC. The master key comes from the N8N_ENCRYPTION_KEY environment variable. If you lose this key, encrypted credentials become irrecoverable. Set the same key across all main and worker containers.

n8n applies symmetric encryption before storing credentials in the database. The algorithm is AES‑256‑CBC (Advanced Encryption Standard with 256‑bit key and Cipher Block Chaining). The N8N_ENCRYPTION_KEY variable supplies the master key. If not provided, n8n auto‑generates a key and saves it in /home/node/.n8n/config. However, for distributed deployments (queue mode), every node must share the same explicitly defined key.

🚨 Disaster recovery critical — Back up your N8N_ENCRYPTION_KEY together with database dumps. Without the original key, even a full database backup will not restore credentials. Store the key in a secrets manager (Bitwarden, HashiCorp Vault, or encrypted offline storage).

Example of setting the key in Docker Compose:

environment:
  - N8N_ENCRYPTION_KEY=your-strong-64-character-hex-or-base64-key

Generate a secure key using: openssl rand -hex 32. For production, rotate keys by decrypting and re‑encrypting credentials (requires custom scripting). For more details, refer to the official credential encryption guide.

2. How do you enable basic authentication for self‑hosted n8n?

Set N8N_BASIC_AUTH_ACTIVE=true, N8N_BASIC_AUTH_USER, and N8N_BASIC_AUTH_PASSWORD. This adds a simple HTTP basic auth layer before the n8n interface. For newer n8n versions (1.0+), the built‑in user management with email/password is preferred, but basic auth still works as an additional firewall.

Basic authentication is handled by n8n itself, not by the reverse proxy. It prompts for credentials before loading the editor UI. This is useful for small teams or when you cannot use OAuth/SAML. However, it does not offer per‑user roles or session management.

⚠️ Important: Basic auth credentials are sent with every request. Always combine basic auth with HTTPS; otherwise, passwords travel in plain text. In production, consider upgrading to n8n’s built‑in user management (email invites, JWT sessions) or Enterprise SSO.

Example Docker environment:

environment:
  - N8N_BASIC_AUTH_ACTIVE=true
  - N8N_BASIC_AUTH_USER=admin
  - N8N_BASIC_AUTH_PASSWORD=strongpassword

After setting these variables, restart n8n. Accessing the editor will now require the user and password. The built‑in user management (available from version 1.0) provides separate owner and member roles, which is more suitable for team use. See the user management documentation for details.

3. How do you configure SAML or OIDC SSO for n8n Enterprise?

n8n Enterprise includes built‑in SAML 2.0 and OIDC support. Configure identity provider (Okta, Azure AD, Google Workspace) metadata and mapping in n8n’s settings file. Users then log in via your corporate SSO. This feature is not available in the Community edition.

Enterprise SSO replaces the default email/password login. n8n acts as a service provider (SP). You provide the IdP metadata URL or XML, map user attributes (email, first name, last name), and configure certificate validation. After enabling SSO, users can still log in with local credentials if you allow fallback.

🔒 Supported IdPs: Okta, Microsoft Azure AD, Google Workspace, Auth0, Keycloak, and any SAML 2.0 or OIDC compliant provider. The configuration is done via ~/.n8n/config or environment variables N8N_SAML_*.

SAML setup involves:

  • Setting N8N_SAML_ENABLED=true and N8N_SAML_ENTITY_ID
  • Providing IdP metadata URL via N8N_SAML_METADATA_URL or file path
  • Optionally mapping attributes with N8N_SAML_ATTRIBUTE_MAPPING_EMAIL

For OIDC, use N8N_OIDC_ENABLED=true and configure discovery URL, client ID, and client secret. Full setup examples are in the Enterprise SSO documentation.

4. How do you verify incoming webhook signatures (HMAC) in n8n?

n8n webhook nodes can validate HMAC signatures. In the Webhook node settings, enable “HMAC Auth” and provide a shared secret. n8n then compares the incoming X-Hub-Signature-256 header against a computed HMAC‑SHA256 digest. Reject requests that don’t match.

HMAC verification prevents forged webhook calls. Many services (GitHub, Stripe, SendGrid) include a signature header. n8n calculates the HMAC using the request body and your secret, then compares it with the header. If they differ, n8n returns a 401 Unauthorized and does not execute the workflow.

To enable:

  1. Add a Webhook trigger node to your workflow.
  2. In node parameters, set “Authentication” to “HMAC”.
  3. Enter the shared secret (same as the sender’s).
  4. Choose the algorithm (default SHA256).
🔐 Best practice: Also whitelist source IP addresses of the provider (e.g., GitHub webhook IPs) as an additional layer. Combine HMAC with IP allowlisting and HTTPS to fully secure your webhook endpoints.

Example: For GitHub webhooks, n8n expects the X-Hub-Signature-256 header. Configure the same secret in GitHub’s webhook settings and in n8n’s HMAC field. The node then validates every incoming delivery. See the webhook HMAC guide for more.

5. Why does n8n self‑hosted require a reverse proxy for HTTPS?

n8n’s internal web server only speaks HTTP. To serve traffic over HTTPS, place a reverse proxy (Nginx, Caddy, Traefik) in front. The proxy terminates TLS, forwards requests to n8n on port 5678, and must support WebSocket upgrades for the editor UI.

Without a reverse proxy, all traffic between clients and n8n is unencrypted, exposing credentials, webhook payloads, and API tokens. A modern reverse proxy also adds security headers, rate limiting, and access logs. Additionally, n8n needs N8N_PROTOCOL=https and N8N_HOST to generate correct webhook URLs.

Minimal Nginx configuration for n8n:

server {
    listen 443 ssl http2;
    server_name n8n.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/n8n/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/n8n/privkey.pem;

    location / {
        proxy_pass http://localhost:5678;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

With Caddy, HTTPS is automatic:

n8n.yourdomain.com {
    reverse_proxy n8n:5678
}

Always set N8N_PROTOCOL=https inside the n8n container. For full reverse proxy examples, see the official proxy documentation.

6. How can you restrict n8n access by IP address?

n8n does not have built‑in IP filtering. Implement IP allowlisting at the reverse proxy level (Nginx allow/deny directives) or using cloud firewall rules (security groups). This is especially useful for webhook endpoints that should only accept traffic from specific services.

For Nginx, add allow and deny all directives inside the location block:

location /webhook/ {
    allow 192.168.1.0/24;
    allow 203.0.113.5;
    deny all;
    proxy_pass http://n8n:5678;
}

This blocks all IPs except those listed. For cloud deployments (AWS, DigitalOcean, Google Cloud), use security group rules to restrict ingress port 443 to specific IP ranges. For webhook endpoints that must be public (e.g., GitHub or Stripe), consider HMAC verification instead of IP allowlisting because provider IPs may change.

🔧 Combined approach: Use IP allowlisting for internal admin access (e.g., restrict / UI to corporate VPN IPs) and HMAC + IP whitelist for webhooks. Never rely on obscurity; always use encryption and authentication.

7. Which environment variables improve n8n security?

Critical security variables: N8N_ENCRYPTION_KEY (credential encryption), N8N_BASIC_AUTH_* (access control), N8N_USER_MANAGEMENT_JWT_SECRET (JWT signing), N8N_VERSION_NOTIFICATIONS_ENABLED=false (disable version check leakage), and N8N_SKIP_WEBHOOK_DANGEROUS_EMAIL_CHECK=false (email safety).

Other security‑related variables include:

  • N8N_METRICS=true → exposes metrics endpoint; protect it with basic auth or firewall rules.
  • N8N_METRICS_BASIC_AUTH_USER / PASSWORD → add authentication to /metrics.
  • N8N_EXECUTIONS_DATA_PRUNE=true → automatically delete old execution logs to reduce database exposure.
  • N8N_EXECUTIONS_DATA_MAX_AGE=168 → keep execution data for 168 hours (7 days).
  • N8N_HIRING_BANNER_ENABLED=false → removes unnecessary informational banner (minor hardening).

Review the full environment variables reference for details.

8. How do you keep n8n self‑hosted secure over time?

Subscribe to n8n release notes, update to latest stable versions regularly (pinned tags), rotate encryption keys periodically (with careful migration), monitor logs for failed authentication attempts, and set up alerts for suspicious activity. Use vulnerability scanners on your host.

Security is a process, not a one‑time setup. Recommended ongoing actions:

  • Update n8n at least every 4–6 weeks to get security patches. Follow the changelog.
  • Monitor logs — set N8N_LOG_LEVEL=info or debug and forward logs to a central system (ELK, Loki). Look for repeated failed basic auth or webhook HMAC failures.
  • Automate vulnerability scanning of your Docker host and containers (e.g., Trivy, Grype).
  • Back up the encryption key and test restore procedures quarterly.
  • Use a secrets manager for environment variables in production (Docker secrets, HashiCorp Vault, or cloud secret stores).
🛡️ Proactive check: At least once a month, run docker inspect or review your Compose file to ensure no unnecessary ports are exposed, and verify that N8N_PROTOCOL=https is still set correctly after updates.

⚠️ Disclaimer: This guide is for informational purposes. Security is your responsibility. Always follow the latest official n8n documentation and industry best practices. The author is not affiliated with n8n GmbH.


Leave a Reply

Your email address will not be published. Required fields are marked *