Rest/settings endpoint exposed

Questions
1

Hello everyone!

I have a problem with self-hosted n8n version.
I hosted n8n on an Azure Web App, but if I go to the link where it is hosted with /rest/settings I can see login URL, Callback URL and apiKeys (relative to posthog).
There is a way to hide them? I cannot block the endpoint because the frontend uses It but i cannot leave it with public access.

  • n8n version: latest
  • Database (default: SQLite):
  • n8n EXECUTIONS_PROCESS setting (default: own, main):
  • Running n8n via (Docker, npm, n8n cloud, desktop app): Docker
  • Operating system:
2

Hi @Mbarello

Yes indeed, many people have raised this recently, and Iā€™m pretty confident the n8n team may address it soon..

In the meantime, you can block, shield, or redirect that path however you preferā€¦

If youā€™re using a reverse proxy, you can handle it there, If not try setting up a redirect or restriction directly in your domain or hosting settings..

3

Yes, this is a big security concern.

4

@mohamed3nan I searched in Github, but somehow I donā€™t see any issues related to it. Where did the people raise the concern?

And more important: When will this security issue be fixed? I think redirection or basic auth is not possible, because the frontend is broken then. Or am I misunderstanding something?

1 Like
5

@AlexBa search with ā€œrest/settingsā€ here you will find a lot..

from version 1.118.0 they seem to have fixed it ā€œReduce unauthentication information in settings endpointā€