Is n8n secure by default?

The defaults are reasonable but not hardened. Apply this checklist before going to production.

How do I rotate the encryption key?

Follow the official key rotation procedure: export credentials, set new key, re-import. Never just change the env var.

Operations10 min readUpdated 2026-06-29

n8n Security: The 2026 Checklist

Lock down self-hosted n8n: HTTPS, encryption keys, RBAC, webhook signatures, secrets, and audit logs.

Key takeaways

Always run behind HTTPS — no exceptions, even for internal-only.
Rotate N8N_ENCRYPTION_KEY only with the documented migration; losing it bricks credentials.
Restrict editor access with SSO or basic auth + IP allowlist.
Verify every inbound webhook signature.

n8n holds the keys to your business: API tokens, customer data in flight, credentials for every SaaS you use. Treating it as a normal web app is not enough. This checklist hardens a self-hosted n8n instance against the realistic threat model.

Transport — HTTPS or nothing

Run n8n behind Caddy, Traefik, or nginx with Let's Encrypt. Set N8N_PROTOCOL=https and WEBHOOK_URL to the HTTPS URL. Many integrations refuse to call HTTP webhooks at all in 2026.

Editor access

Community Edition: N8N_BASIC_AUTH_ACTIVE=true with strong credentials, plus a Cloudflare Access or Tailscale layer in front so the editor is never publicly reachable. Enterprise: SAML/OIDC SSO with your IdP and RBAC roles.

Secrets

Never paste API keys into HTTP Request node fields. Use the Credentials store (encrypted at rest with N8N_ENCRYPTION_KEY) or, on Enterprise, an external secrets backend like Vault or AWS Secrets Manager. Rotate credentials quarterly and on offboarding.

Webhook signatures and rate limits

Verify HMAC signatures on every inbound webhook from Stripe, GitHub, Shopify, etc. Put a rate limiter (Caddy or Cloudflare) in front of public webhook URLs. Add a shared-secret header check on internal webhooks.

Audit and review

Enable audit logs on Enterprise. On Community, mirror n8n's PostgreSQL execution_entity table into a long-term store for forensic review. Quarterly access reviews are cheap insurance.

Frequently asked questions

Is n8n secure by default?: The defaults are reasonable but not hardened. Apply this checklist before going to production.
How do I rotate the encryption key?: Follow the official key rotation procedure: export credentials, set new key, re-import. Never just change the env var.

← All posts Start the free n8n course →