Security page outdated?

As stated in the security page

By default, n8n can be accessed by everybody. This is okay if you only have it running locally but if you deploy it on a server which is accessible from the web, you have to make sure that n8n is protected.

Right now we have very basic protection in place using basic-auth. It can be activated by setting the following environment variables:

However, now that user management is rolled out, aren’t the above two lines outdated?

Or is the user-management feature not considered secure, and we have to implement our additional security measures to protect our publicly hosted instance?


Hi @chris1, welcome to the community :tada:

You’re quite right, the page does seem to be outdated. Thank you so much for bringing this up!

The user management functionality stores hashed passwords only and as long as you are using an SSL/TLS connection your credentials are also encrypted during transit. So user management isn’t less secure than basic auth and I think this documentation page just got overlooked when user management was rolled out.

I’ll flag this page internally for an update.