I’m building a production WhatsApp bot for field reporting using n8n Cloud offering and have some critical security questions about the platform’s built-in protections.
My Setup:
-
n8n Cloud offering instance
-
WhatsApp Business API node trigger (on messages)
-
PostgreSQL database (Supabase)
-
Expected load: ~100-500 users, potential for abuse
Security Concerns & Questions:
1. DDoS Protection
-
Does n8n Cloud have built-in DDoS protection at the infrastructure level?
-
Are there automatic rate limits on webhook endpoints?
-
What happens if someone floods my webhook with thousands of requests?
2. Webhook Security
-
Are webhook URLs protected against brute force discovery?
-
Is there any built-in rate limiting per IP/endpoint?
-
How does n8n Cloud handle malformed or oversized webhook payloads?
3. Resource Protection
-
Are there execution limits per workflow to prevent resource exhaustion?
-
Does n8n Cloud automatically throttle workflows under heavy load?
-
What monitoring/alerting exists for unusual activity?
4. Access Control
-
Are webhook endpoints isolated between different n8n Cloud users?
-
Is there any IP whitelisting capability for webhook endpoints?
-
How secure are the generated webhook URLs?
What I Need:
Clear understanding of n8n Cloud’s built-in security measures so I can:
-
Assess if additional protection is needed
-
Design appropriate fallback mechanisms
-