Skip to main content

Reporting Security Vulnerabilities

If you discover a security vulnerability in n8n-MCP, please DO NOT create a public issue.

How to Report

1

Create a private security advisory

Use GitHub’s private security advisory feature
2

Or email the maintainer directly

Contact the project maintainer via email for sensitive vulnerabilities
3

Provide details

Include:
  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Suggested fix (if available)
We take security seriously and will respond to vulnerability reports within 48 hours.

Security Best Practices

1. Environment Variables

NEVER commit real API keys, tokens, or credentials to the repository.
# Use .env files (already in .gitignore)
cp .env.example .env

# Edit .env with your credentials
N8N_API_URL=https://your-n8n-instance.com
N8N_API_KEY=your-api-key

2. API Keys and Tokens

If you accidentally commit credentials:
  1. Revoke the exposed credentials immediately
  2. Generate new credentials
  3. Update your configuration
  4. Use git-secrets or similar tools to prevent future leaks
  • No hardcoded fallbacks
  • No default values for sensitive data
  • Always validate environment variables are set
  • Use short-lived tokens when possible
  • Rotate tokens regularly
  • Monitor token usage for anomalies
  • Grant minimum permissions required
  • Create separate API keys for different environments
  • Regularly audit API key permissions

3. Code Security

// NEVER hardcode credentials
const apiKey = process.env.N8N_API_KEY || 'n8n_api_actual_key_here';
const apiUrl = process.env.N8N_API_URL || 'https://production-url.com';

4. Git Security

Before committing, always check: 
# Check for tracked sensitive files
git ls-files | grep -E "\.(env|pem|key|cert)$"

# Check staged changes for secrets
git diff --staged | grep -iE "(api[_-]?key|secret|token|password)"
Prevent committing secrets to git:
# Install git-secrets
git clone https://github.com/awslabs/git-secrets.git
cd git-secrets
make install

# Setup for your repo
cd /path/to/n8n-mcp
git secrets --install
git secrets --register-aws

5. Docker Security

Never include .env files

Never add .env files to Docker images

Use build arguments

Use build arguments for compile-time configuration

Runtime environment

Use runtime environment variables for secrets

Non-root users

Run containers as non-root users when possible

6. Dependencies

1

Regular updates

npm audit
2

Review changes

Carefully review dependency changes before updating
3

Use lock files

Always commit package-lock.json to ensure reproducible builds
4

Monitor advisories

Subscribe to security advisories for dependencies

Security Checklist

Before each release or deployment:
  • No hardcoded credentials in source code
  • All sensitive configuration uses environment variables
  • .env files are not tracked in git
  • Dependencies are up to date (npm audit clean)
  • No sensitive data in logs
  • API endpoints use proper authentication
  • Docker images don’t contain secrets
  • Security tests pass
  • Third-party dependencies reviewed

Known Security Considerations

When running in HTTP mode, always use strong AUTH_TOKEN values:
# Generate a secure token
openssl rand -base64 32
Configure in your environment:
AUTH_TOKEN=your-generated-token
The n8n API key provides full access to workflows:
  • Protect it like a password
  • Use separate keys for different environments
  • Rotate keys regularly
  • Monitor usage for anomalies
The SQLite database contains:
  • ✅ Node information (safe)
  • ✅ Documentation (safe)
  • ✅ Template metadata (safe)
  • ❌ No credentials stored
  • ❌ No user data stored
When using webhooks with local n8n instances:
# Allow localhost webhooks (development only)
WEBHOOK_SECURITY_MODE=moderate
Never use moderate mode in production. It allows webhooks to local/private networks.

Security Tools

SecureKeyGuard

Automated scanning for exposed secrets

npm audit

Check for vulnerable dependencies

git-secrets

Prevent committing secrets to git

dotenv-vault

Secure environment variable management

Production Deployment

Additional security measures for production deployments:

HTTPS Only

  • Always use HTTPS for production deployments
  • Use valid SSL/TLS certificates
  • Configure proper CORS headers

Network Security

  • Use firewall rules to restrict access
  • Implement rate limiting
  • Use VPN or private networks when possible

Monitoring

  • Enable logging for security events
  • Monitor for unusual API usage patterns
  • Set up alerts for failed authentication attempts

Backup & Recovery

  • Regular backups of configuration
  • Documented recovery procedures
  • Test restore procedures regularly

Compliance

n8n-MCP is designed to work with your existing security policies:
  • No data leaves your infrastructure (self-hosted mode)
  • All telemetry is optional and can be disabled
  • No external dependencies in production mode
  • Audit logs available for compliance

Contact

For security concerns or questions:

Security Advisory

Report vulnerabilities privately

GitHub Issues

General security questions
Remember: Security is everyone’s responsibility. When in doubt, ask for a security review.

Build docs developers (and LLMs) love

Get started for freeTalk to us