Self-hosted n8n 1.119.2 has overly restrictive hardcoded CSP breaking UI components

Questions
1

Problem
Self-hosted n8n version 1.119.2 sets a hardcoded Content Security Policy (CSP) that is too restrictive and breaks critical UI components. The CSP blocks inline scripts, inline styles, and eval(), which causes rendering issues across the interface.
Affected Components
Data Tables: Show “No rows” despite containing data
Agent Nodes: Display with red warning triangles and broken rendering
General UI: Various components fail to render properly due to blocked inline styles/scripts
Browser Console Errors
Content Security Policy blocks inline execution of scripts and stylesheets
Content Security Policy of your site blocks some resources
Content Security Policy of your site blocks the use of ‘eval’ in JavaScript
Current CSP Header
default-src ‘self’; frame-ancestors ‘none’; base-uri ‘self’;
Expected CSP Header
Should allow at minimum:
script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’;
style-src ‘self’ ‘unsafe-inline’;
What We Tried
We attempted to configure or override the CSP through:
:cross_mark: Environment variable N8N_SECURITY_CONTENT_SECURITY_POLICY_ENABLED=false - not recognized
:cross_mark: Reverse proxy (Caddy) header manipulation with header_down, defer, and handle_response - CSP persists
:cross_mark: Docker environment variable overrides - no effect
The CSP appears to be hardcoded in the Express server without configuration options.
Workaround
Currently using a browser extension to disable CSP client-side, which is not ideal for production use.
Request
Please add environment variables to configure CSP headers in self-hosted deployments, such as:
N8N_SECURITY_CSP_SCRIPT_SRC
N8N_SECURITY_CSP_STYLE_SRC
N8N_SECURITY_CSP_ENABLED=false (to disable entirely)
This would allow self-hosted users to adjust security policies based on their deployment environment and trust level.
Environment
n8n Version: 1.119.2
Deployment: Docker self-hosted
Reverse Proxy: Caddy
Database: PostgreSQL

Describe the problem/error/question

What is the error message (if any)?

Please share your workflow

(Select the nodes on your canvas and use the keyboard shortcuts CMD+C/CTRL+C and CMD+V/CTRL+V to copy and paste the workflow.)

Share the output returned by the last node

Information on your n8n setup

  • n8n version:
  • Database (default: SQLite):
  • n8n EXECUTIONS_PROCESS setting (default: own, main):
  • Running n8n via (Docker, npm, n8n cloud, desktop app):
  • Operating system:
2

According to Security environment variables | n8n Docs the env var name you should use to override the content security policy is N8N_CONTENT_SECURITY_POLICY