n8n Security Guide: Hardening Your Self-Hosted Automation Platform

Self-hosting n8n means you control your data — but it also means you control your security. When your automation platform has access to your email, CRM, payment processor, and database, securing it isn't optional. This guide covers every layer.

Layer 1: Transport Security (TLS/SSL)

Non-negotiable: Never expose n8n over plain HTTP in production.

Use Caddy (automatic Let's Encrypt) or Nginx with certbot:

```caddy n8n.yourdomain.com { reverse_proxy localhost:5678 } ```

Caddy auto-renews certificates. Set it and forget it.

Layer 2: Authentication

n8n supports multiple auth methods:

Basic Auth (Minimum)

In your docker-compose.yml:

```yaml environment:

• N8N_BASIC_AUTH_ACTIVE=true
• N8N_BASIC_AUTH_USER=admin
• N8N_BASIC_AUTH_PASSWORD=your-strong-password ```

OAuth2 / SSO (Recommended for Teams)

n8n supports OAuth2 with Google, GitHub, and any OIDC provider. Configure in the n8n settings:

```yaml environment:

• N8N_AUTH_METHOD=oidc
• N8N_OIDC_ISSUER=https://accounts.google.com
• N8N_OIDC_CLIENT_ID=your-client-id
• N8N_OIDC_CLIENT_SECRET=your-client-secret ```

This lets you enforce 2FA through your identity provider.

Layer 3: Encryption

Encryption Key

n8n encrypts all credentials at rest. Set a strong encryption key:

```bash openssl rand -hex 32

Output: a1b2c3d4e5f6... (64 characters)

```

```yaml environment:

• N8N_ENCRYPTION_KEY=a1b2c3d4e5f6... ```

Critical: If you lose this key, you lose access to all stored credentials. Store it in a password manager, not just the .env file.

Database Encryption

If using PostgreSQL, enable encryption at rest:

```sql -- Enable pgcrypto extension CREATE EXTENSION pgcrypto; ```

For the database filesystem, use LUKS (Linux) or your cloud provider's encrypted volumes.

Layer 4: Network Isolation

Firewall Rules

Only expose ports 80/443 (Caddy/Nginx). Block direct access to n8n (5678):

```bash sudo ufw allow 80/tcp sudo ufw allow 443/tcp sudo ufw deny 5678/tcp # n8n only accessible via reverse proxy sudo ufw enable ```

Docker Network Isolation

Run n8n, Caddy, and your database on the same internal Docker network. Only Caddy exposes ports to the host.

VPN / Tailscale

For maximum security, don't expose n8n to the public internet at all. Use Tailscale or WireGuard to create a private network and access n8n only through the VPN. This eliminates the entire attack surface of a public-facing web application.

Layer 5: Credential Management

Use Environment Variables for Secrets

Never hardcode API keys in workflows. Use n8n's credential system or environment variables:

```javascript // In a Function node const apiKey = $env.STRIPE_SECRET_KEY; // NOT: const apiKey = 'sk_live_hardcoded_here'; ```

Credential Rotation

Rotate API keys quarterly. n8n's credential manager makes this painless — update once, all workflows using that credential update automatically.

Principle of Least Privilege

Each API key should have the minimum permissions needed:

• Stripe key: read + write for charges, not full account access
• GitHub token: specific repo access, not all repos
• Gmail: send-only scope, not full account access

Layer 6: Audit Logging

Enable n8n's audit logs to track who did what:

```yaml environment:

• N8N_AUDIT_LOG_ENABLED=true
• N8N_AUDIT_LOG_DESTINATION=file
• N8N_AUDIT_LOG_FILE_PATH=/var/log/n8n/audit.log ```

Ship logs to a centralized system (Loki, ELK, or just a mounted volume) for retention and alerting.

Monitor for:

• Failed login attempts (brute force detection)
• Credential creation/modification
• Workflow activation/deactivation
• Manual workflow executions

GDPR & Compliance Quick Checklist

• [ ] Data processed only on EU/US servers (per your DPA)
• [ ] Encryption at rest (database + credentials)
• [ ] Encryption in transit (TLS everywhere)
• [ ] Access logs retained for compliance period
• [ ] Data deletion workflow: ability to purge user data on request
• [ ] Breach notification process documented
• [ ] Regular security updates (watch n8n releases)

Penetration Testing Checklist

Before going to production, verify:

• [ ] n8n not accessible on port 5678 from public internet
• [ ] SSL Labs rates your TLS A+ (https://www.ssllabs.com/ssltest/)
• [ ] Security headers present (HSTS, CSP, X-Frame-Options)
• [ ] Admin panel behind authentication
• [ ] Webhook endpoints not guessable (use long random suffixes)
• [ ] No default credentials in use
• [ ] Rate limiting enabled on authentication endpoints

When to Use n8n Cloud Instead

Self-hosting isn't for everyone. Consider n8n Cloud if:

• You don't have 4+ hours/month for security maintenance
• You need SOC 2 or ISO 27001 certification
• Your team is < 5 people without dedicated DevOps
• You process healthcare or financial data under strict compliance frameworks

For everyone else: self-hosting with proper hardening is secure, private, and dramatically cheaper at scale.

Secure your automations from day one. All FlowForge templates follow these security patterns out of the box — no hardcoded credentials, proper environment variable usage, and production-safe configurations.