As stated in the security page
By default, n8n can be accessed by everybody. This is okay if you only have it running locally but if you deploy it on a server which is accessible from the web, you have to make sure that n8n is protected.
Right now we have very basic protection in place using basic-auth. It can be activated by setting the following environment variables:
However, now that user management is rolled out, aren’t the above two lines outdated?
Or is the user-management feature not considered secure, and we have to implement our additional security measures to protect our publicly hosted instance?