Environment:
-
n8n Version: 2.2.5 (Self-Hosted via Docker)
-
Hosting Provider: Hostinger VPS
-
Browser: Chrome/Safari (Latest)
-
WAF/Security: Hostinger Native Firewall / ModSecurity
Summary of the Problem: I am experiencing a severe desynchronization between the n8n Editor UI and the Execution Engine. Changes made to the workflow (specifically adding a Code Node with Regex/Buffer logic) appear to “Save” successfully in the UI, but the server silently rejects the save operation.
As a result, when I click “Execute Workflow,” the server runs an old, cached version of the workflow (a “Ghost” version) that often includes deleted nodes or broken wiring, leading to execution errors that do not match the visible canvas.
Symptoms:
-
Ghost Executions: I can delete a node (e.g., a “Merge” node) and replace it with a new one. The UI shows the new wiring. However, the Execution logs show the deleted node being executed.
-
Silent Save Failures: Clicking “Save” triggers the success toast notification, but reloading the page (
F5) causes the workflow to revert to the previous state, proving the save never happened on the backend. -
Broken HTTP Inputs: An HTTP Request node connected to a new source fails with
Input is a zero-length, empty documentbecause the server still thinks it is connected to a previous (now deleted) node that had different output fields. -
Persistence: Docker container restarts and server reboots do not resolve the desync until the “problematic” node is removed.
Suspected Root Cause (WAF False Positive): It appears the Hostinger Web Application Firewall (WAF) is flagging the POST /rest/workflows payload as malicious when it contains specific JavaScript keywords inside a Code Node.
Specifically, using the following in a Code Node triggers the silent block:
-
new RegExp(...) -
Buffer.from(...) -
Base64 strings used to mask HTML tags.
The WAF blocks the “Save” request (likely a 403 Forbidden hidden by the UI), causing the Editor to think it saved while the Database remains untouched.
The Workaround / Solution: The issue was resolved only by deleting the Code Node entirely. Moving the logic from the Code Node into a standard n8n Expression (using $json.content.toString()... inside an HTTP Request node) allowed the workflow to save and execute correctly immediately.
Question for the Community: Has anyone else on Hostinger or similar VPS setups seen WAF rules silently block workflow saves when using specific JavaScript regex patterns? Is there a recommended whitelist rule for n8n?