With the addition of user management
$env has now become a security issue.
It would be great if we could filter or entirely disable this custom variable.
For example a user can easily forge their own tokens and become any user (including owner) if they get hold of $env.N8N_USER_MANAGEMENT_JWT_SECRET. Edit: not true, you need the partial hashed password for this to work.
Other examples of sensitive headers are all the DB user and passwords, and the SMTP settings.