I have some issues in restrict for webhook_url. We 've discussed about this at:
Now n8n could have N8N_EDITOR_BASE_URL. But someone could still go to webhook_url to login to n8n. Do not like editor, webhook_url is easier to know and attack by bruce force.
Could you have repo to upgrade n8n core to restrict webhook_url?
I thinks an env variable make it more simple.
I’m pretty sure n8n is agnostic of the incoming Host header at the moment. It does make sense this boundary would be applied where you’re terminating your TLS connections… the/a reverse proxy.
I’ve recently used Caddy in a very strict environment to separate out webhook and management connections with a config something like this:
# n8n management interface
n8n.example.com {
reverse_proxy http://myn8n:5678
}
# n8n webhook interface, exposed externally
webhook.example.com {
# Match n8n webhook requests
@webhook {
path_regexp ^\/webhook(?:-test)?\/([A-f\d]{8}-[A-f\d]{4}-[A-f\d]{4}-[A-f\d]{4}-[A-f\d]{12})
}
# Send to n8n
reverse_proxy @webhook http://myn8n:5678
# Drop anything not going to a webhook URL
abort
}
This would be a nice improvement. It makes sense to have one endpoint for the GUI and one endpoint for the webhooks if the webhooks are used for an API. It is undesirable for someone to go to the root of the subdomain used for the API and easily discover that n8n is being used. This is a potential security risk.
I have a unique subdomain for the GUI and another unique subdomain for the API. The problem is that the GUI still loads when visiting the API subdomain. I have addressed this for now with a Cloudflare Page Rule that redirects to another website all calls to the API subdomain; it does not affect calls to the webhooks.
Hi, following up on this thread: as some third parties require to whitelist their IPs in order to be able to receive webhooks from them, it would be great to be able to do it on n8n cloud.