Prevent PostHog Cookie from being set for Top Level Domain of n8n subdomain

Hi everyone,

we’ve recently moved our self-hosted n8n instance to the subdomain n8n.example.com of our primary domain example.com. n8n also runs behind an azure app proxy for external access, although i don’t think this is relevant. Since we moved n8n to our primary domain, we’ve started running into an unexpected issue:

n8n sets a PostHog tracking cookie named ph_phc_4URIAm1uYfJO7j8kWSe0J8lc8IqnstRLS7Jx8NcakHo_posthog on the entire parent domain (.example.com) instead of just the n8n.example.com subdomain.

This becomes a problem because we also run other apps on sibling subdomains, which are protected by a strict WAF (Sophos/ModSecurity). That WAF inspects cookie contents and flags the PostHog cookie as a potential SQL injection vector, resulting in 403 Forbidden errors for completely unrelated services.

Here is a decoded sample of the cookie payload (without azure app proxy)

{
  "distinct_id": "641161f96fa124764b202... ...24097a6027621fb1946b#ebf6b1b3-c829-4f2d-9f5d-129d850e47bf",
  "$sesid": [1752572045554, "01980d6f-28c6-7551-ab8f-0039fd4929f3", 1752572045510],
  "$epp": true,
  "$initial_person_info": {
    "r": "$direct",
    "u": "https://n8n.example.com/signin?redirect=%252F"
  }
}

And here is a sample of the cookie payload with azure app proxy in front

{
  "distinct_id": "641161f96fa124764b202... ...24097a6027621fb1946b#ebf6b1b3-c829-4f2d-9f5d-129d850e47bf",
  "$sesid": [1752572203367, "01980d5c-4c44-7c8a-8906-6f2b548f4e27", 1752570809409],
  "$epp": true,
  "$initial_person_info": {
    "r": "https://login.microsoftonline.com/",
    "u": "https://n8n.example.com/signout"
  }
}

The Web Application Firewall for the unrelated services throws the follow error:

[Tue Jul 15 08:56:33.102299 2025] [security2:error] [pid 16260:tid 140291113596672] [client 123.123.123.123:57804] [client 123.123.123.123] 
ModSecurity: Warning. Pattern match "[\\"'`][\\\\s\\\\d]*?[^\\\\w\\\\s]\\\\W*?\\\\d\\\\W*?.*?[\\"'`\\\\d]" at REQUEST_COOKIES:ph_phc_XXXXXXXXXXXX_posthog. 
[file "/usr/apache/conf/waf/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] 
[line "1345"] [id "942490"] [msg "Detects classic SQL injection probings 3/3"]
[data "Matched Data: \\x22:\\x2264 found within REQUEST_COOKIES:ph_phc_XXXXXXXXXXXX_posthog: 
{\\x22distinct_id\\x22:\\x22[HASHED_ID]#[UUID]\\x22,\\x22$sesid\\x22:[TIMESTAMP_A,\\x22[SESSION_UUID]\\x22,TIMESTAMP_B],\\x22$epp\\x22:true,\\x22$initial_person_info\\x22:{\\x22r\\x22:\\x22https://login.microsoftonline.com/\\x22,\\x22u\\x22:\\x22https://n8n.example.com/signout\\x22}}"]
[severity "CRITICAL"] [ver "OWASP_CRS/3.3.3"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "p [hostname "pbx.example.com"] [uri "/favicon.ico"] [unique_id "REDACTED"], referer: https://pbx.example.com/

As a temporary workaround we desiabled telemetry by setting

N8N_DIAGNOSTICS_ENABLED=false

This stops the cookie from being set altogether – which resolves the issue – but I’d prefer to keep diagnostics enabled, and simply restrict the cookie scope to the subdomain (n8n.example.com) instead of the whole domain.

Is there a way to instruct n8n to set the PostHog cookie only for n8n.example.com and not for .example.com?

Thanks in advance for any help or clarification!

Best regards,
Christian

Hi there, have you been trying to set N8N_SAMESITE_COOKIE to strict?
I don’t know if it will help you or not. I’m just reading the documentation from official n8n and mozilla.
I just wanna know if it helps you:)

References:
[1]: Security environment variables | n8n Docs
[2]: Set-Cookie header - HTTP | MDN

Thank you for your reply!

Unfortunatley this setting did not solve the issue. The PostHog Cookie gets set for the domain .example.com anyways and therefore sent to other subdomains of the domain as well.

To disable only the PostHog tracking cookie (which is client-side), but keep server-side diagnostics/telemetry enabled, set this in your environment:

bash

CopyEdit

N8N_DIAGNOSTICS_CONFIG={"enabled":true,"posthog":{"enabled":false}}

In Docker, you would add:

yaml

CopyEdit

environment:
  - N8N_DIAGNOSTICS_CONFIG={"enabled":true,"posthog":{"enabled":false}}

This disables PostHog’s frontend/browser SDK entirely, preventing the cookie from being set, without disabling the rest of the internal diagnostics.

I added this to our docker configuration (through portainer Stacks), but the Posthog cookie was unfortunately set anywhy.

Can you tell what exactly Posthog does? How important is it? We could live with disabling diagnostics at all, if it wouldn’t disable the AI feature as well.

PostHog in n8n is purely a telemetry/analytics tool—it tracks anonymous UI events, feature usage, error rates, and performance data (via the PostHog browser SDK) so that the n8n team can see which parts of the app are most used and where bugs crop up. It does not power or gate any core functionality—your workflows, triggers, or AI nodes will keep working exactly the same if you turn it off.

If you’re willing to drop all diagnostics (both client- and server-side), just set:

N8N_DIAGNOSTICS_ENABLED=false

in your environment and restart. That:

• Stops PostHog entirely (no cookie, no UI analytics)
• Disables n8n’s internal error/usage reporting
• Does not disable or interfere with the AI Agent node or any other feature—those still call OpenAI independently of diagnostics.

Sorry for the delay. Somehow I’ve missed your last reply.

Thank you for clarification, what diagnostics does. What I meant with “AI Features” is what is stated within the n8n documentation:

Whether to share selected, anonymous telemetry with n8n. Note that if you set this to false , you can’t enable Ask AI in the Code node.

I am not sure in which way this would impact us in future. Currently it doesn’t at all, since we barely use the code node.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.