How secure is n8n docker image for production?

Hi everyone,

I have finally managed to set up a (hopefully) secure n8n production environment in the Hetzner cloud. However, I have a few last questions concerning security INSIDE the n8n docker image (which is mostly out of my control) and would appreciate your reply:

  • Node.js security
    Is Node.js inside the image set-up to be safely used in production? I. e. are the Node.js security guidelines being followed? Especially is the debugger disabled?
  • Docker Content Trust
    I could not download the image with Docker Content Trust (DCT) enforced. Is there another image available which gets signed? Or do you have any plans to sign the official image in the near future?

Thank you for this awesome piece of software and your help! :slight_smile:

Hi @AdFisch,

I don’t think anyone has asked this before but at the same time I also don’t think anyone has ran into any security issues with the container in a production environment.

One of the good things with n8n is our source is available (we have nothing to hide) and because of this you can find our docker files and if needed you can make your own if there is anything that worries you.

It is possible that @jan will know a lot more about the actual docker image and what is happening along with the request about signing :slight_smile:

Hi @Jon,

thank you for your reply. I know everything is open-source but I am not deeply into Node.js development. Frankly, that’s why I (and probably many other developers) chose the Docker setup. However, I would feel better if you stated that the docker image follows common security standards and is ready for production (of course without any warranty). So if @jan is able to do that, I would appreciate a reply. Thank you.

And of course I would appreciate if you could sign the image. :smiley:

Probably useful to know that n8n has a builtin security scan that can help you spot potential problems: Security audit - n8n Documentation

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.