Securing n8n instance

LawlessLy · June 10, 2025, 12:26pm

Hey n8n-community!

I’ve been thinking about: When I’m using the Chat Trigger node on a website (e.g. via n8n-chat CDN), how can I properly protect my instance from abuse? Like DDoS, unnecessary requests from fools, etc? For now the origin server (if self-hosted) or n8n instance is publicly available and I might want to block specific users based on their behavorial pattern or even their IP-address. Currently that is not possible, right?

Thank you for your help, I appreciate any ideas!

Wouter_Nigrini · June 10, 2025, 12:40pm

Have a look into the products Cloudflare offers to protect against these kinds of attacks. Sorry not a very comprehensive answer.

LawlessLy · June 10, 2025, 9:33pm

Would the same apply if I used n8n cloud?

Regarding n8n self-hosted: May you tell me what specific services I need? For someone who has no idea about security it is quite overwhelming.

Wouter_Nigrini · June 11, 2025, 8:41am

If you’re using n8n cloud, then you should already be protected by their setup. n8n will manage your infrastructure for you.

Self hosting infrastructure setups can get very complex very quickly, but you can ask perplexity based on your requirements

https://www.perplexity.ai/search/how-to-secure-a-self-hosted-ve-16gp1gdcTB6Uxn.wPOBXqg

LawlessLy · June 11, 2025, 12:12pm

Thank you for your ideas, Wouter!

Since I have no clue about setting all the security up all by myself, maybe you know about any services that can handle at least all the basic stuff? That would be incredibly helpful for me!

BramKn · June 11, 2025, 12:43pm

I Recommend using n8n cloud then.
That makes sure you should not have to worry about it. Other services will most likely cost more.

Wouter_Nigrini · June 11, 2025, 1:18pm

I agree with @BramKn here. If you dont want to worry about security then simply paying for the convenience of n8n cloud is the way to go. If your requirement is infact to host your own instances for privacy or other reason, then we can help you further

LawlessLy · June 11, 2025, 2:30pm

Yeah being able to have full control is better for me, there several reasons for me why self-hosting is an option for me.

Sure Wouter, I’d love to hear

raph_kai · June 11, 2025, 2:54pm

So, there are 2 main things to that:

Allowed Origins (CORS) option in Chat Trigger node. By default it’s set to ‘*’ - which allows traffic from any website. This can be circumvented by non-browser, so this should be just initial phase.
Using CloudFlare - here’s how to do that for n8n: Securely Self-Hosting n8n with Docker & Cloudflare Tunnel (The... Arguably Less-Painful Way)

What you’re actually doing here, is moving all your traffic via CloudFlare. Having CloudFlare set up, you can:

add Firewall rules, such as rate limiting: Rate limiting rules · Cloudflare Web Application Firewall (WAF) docs
add bot protection: Cloudflare Bot Management & Protection
add many more, including IP blocking. Here are actions you can set up: Actions reference · Cloudflare Ruleset Engine docs

You can implement specific rate limiting in your n8n process, for example you can pass a metadata flag (and require it in the workflow) to limit some of the malicious traffic.

Or you can implement rate limiting per metadata item/conversation id in your workflow: as simple as keeping requests from last 10 minutes in DB and only allowing X number of requests for this time per conversation/total, up to implementing more complex algos like leaky bucket.

LawlessLy · June 11, 2025, 10:52pm

Thank you raph, I’ll have a look into that!