N8n on Render.com – How Do You Secure the /metrics Endpoint?

Hey everyone,

Quick question for those of you deploying n8n on Render.com:

When you expose the /metrics endpoint (N8N_METRICS=true), do you add any authentication (like a Bearer token) to prevent it from being publicly accessible?

In more traditional setups (like Docker behind a reverse proxy or Kubernetes), this kind of endpoint typically lives inside a private network, only accessible internally (e.g., by Prometheus).
But with Render, unless you set up something custom, anything exposed is publicly reachable — which means the /metrics endpoint can be accessed by anyone.

Even if traffic is low, each ping still consumes outbound bandwidth.

How you handle this ? Do you secure it, or just leave it open?

Thanks in advance for your insights!

You might be able to block external access by creating a static redirect for the /metrics path on your n8n/render app domain, pointed to a static page that says “shoo… go away”.

Usually, n8n is deployed as a Web Service, which doesn’t provide the Redirect/Rewrite feature available to Static Sites on Render.

One approach could be to place n8n behind a custom domain that is reverse-proxied through Cloudflare, then add a rule for the /metrics endpoint so only your Prometheus instance can access it.
But it may be over-engineered for a page that no one other than the instance owners should care about .