Self-hosting n8n is highly cost-effective and provides ultimate control over your data. However, with self-hosting comes the responsibility of securing your environment. A single insecure instance can expose API credentials, internal databases, or sensitive user records.
1. Enable Basic/User Authentication
Never run a public-facing n8n instance without user management. Ensure you configure credentials when starting the container:
N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS=true
N8N_USER_MANAGEMENT_DISABLED=false2. Configure SSL/TLS Certificates
Ensure that all traffic to your instance is encrypted. Use Let's Encrypt with Nginx or Caddy reverse proxy to enforce HTTPS connections. Running n8n over standard HTTP transmits workflow credentials and cookies in clear text.
3. Secure Your Webhooks
Webhooks are exposed to the public internet so that external services can trigger your workflows. To prevent unauthorized requests:
- Use Custom Header Secrets: Verify a secret header or bearer token at the entry node.
- IP Whitelisting: If the source system (e.g. Stripe, GitHub) has fixed IP ranges, configure your firewall or reverse proxy to only allow requests from those IPs.
🔒 Important: Set the environment variable N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS=true to restrict settings file read/write permissions strictly to the user running the docker process.