Allowlist trusted IP ranges for Forms submissions

The idea is:

Add an IP allowlist / whitelist for n8n Forms, similar to the existing IP whitelist option in the Webhook node. The form should only accept submissions from allowed IPs/CIDR ranges and reject others.

My use case:

We use n8n Forms to collect inputs that should only come from trusted networks/systems (e.g., our company VPN/office IPs, internal services). Right now, Forms are effectively a public entry point once shared, which makes them vulnerable to unwanted submissions and spam. With Webhooks we can restrict by IP; we’d like the same control for Forms.

I think it would be beneficial to add this because:

Security hardening: reduces attack and prevents unauthorized submissions.
Spam/bot mitigation: blocks random traffic at the edge instead of handling it in workflows.
Consistency: Webhook already supports it and Forms should offer similar controls since they’re also ingress endpoints.

Any resources to support this?

n8n already has precedent: the Webhook node IP whitelist feature (same concept).

Are you willing to work on this?

Yes, I’m willing to help implement it and/or test it.

This clearly goes in the direction of hardening workflow and data security, especially once a Form is exposed publicly.
And yes, it doesn’t look like a complex feature to add: a Form is already triggered by an HTTP request, so n8n already has access to request metadata (IP, headers), just like the Webhook node.
Having the same IP allowlist option as the Webhook node would make Forms more consistent and would avoid having to rely on a reverse proxy or extra workflow logic for something that should be an edge level control.