So, there are 2 main things to that:
- Allowed Origins (CORS) option in Chat Trigger node. By default it’s set to ‘*’ - which allows traffic from any website. This can be circumvented by non-browser, so this should be just initial phase.
- Using CloudFlare - here’s how to do that for n8n: Securely Self-Hosting n8n with Docker & Cloudflare Tunnel (The... Arguably Less-Painful Way)
What you’re actually doing here, is moving all your traffic via CloudFlare. Having CloudFlare set up, you can:
- add Firewall rules, such as rate limiting: Rate limiting rules · Cloudflare Web Application Firewall (WAF) docs
- add bot protection: Cloudflare Bot Management & Protection
- add many more, including IP blocking. Here are actions you can set up: Actions reference · Cloudflare Ruleset Engine docs
- You can implement specific rate limiting in your n8n process, for example you can pass a metadata flag (and require it in the workflow) to limit some of the malicious traffic.
Or you can implement rate limiting per metadata item/conversation id in your workflow: as simple as keeping requests from last 10 minutes in DB and only allowing X number of requests for this time per conversation/total, up to implementing more complex algos like leaky bucket.