N8N Security

Reply to N8N Security on Wed, 14 Jan 2026 11:15:35 GMT

james — Wed, 14 Jan 2026 11:15:35 GMT

Would this obfuscate the n8n frontend, at least partially?

Yes, but security via obscurity is useless.

So the only thing that I presume would change that if some automated scraper comes passing by my IP asking: "Do you run N8N?" my server would answer: "Please log in with your cloudron details" instead of "Sure I am running this N8N version"

If your IP is scraped it will not even reply with N8N but would return Cloudron.
They would need to know the subdomain of your N8N Cloudron app, which is also possible from e.g. the SSL/TLS certificate if wildcard is not used.
Example for cloudron.io https://www.merklemap.com/search?query=cloudron.io&page=0

Anything that is publicly accessible in the World Wide Web is subjected to access attempts.
And again, if N8N would use the custom OIDC plugin, the brute force would just move to a new target, the OIDC login.

We are planning to add per app IP-Whitelisting.
With that, apps could be gated behind e.g.: the Cloudron VPN app.
This would be a reliable way to block public access.

Reply to N8N Security on Wed, 14 Jan 2026 11:10:01 GMT

jorrg — Wed, 14 Jan 2026 11:10:01 GMT

@Teiluj said in N8N Security:

However, in the meantime, maybe you've seen this post about OIDC and n8n from @luckow ?

Haven't seen it, before!

Reply to N8N Security on Wed, 14 Jan 2026 11:00:30 GMT

jorrg — Wed, 14 Jan 2026 11:00:30 GMT

Yeah, I know.

The thing that I was worried about were automated scrapes for N8N.

So the only thing that I presume would change that if some automated scraper comes passing by my IP asking: "Do you run N8N?" my server would answer: "Please log in with your cloudron details" instead of "Sure I am running this N8N version"

Reply to N8N Security on Wed, 14 Jan 2026 11:00:24 GMT

Teiluj — Wed, 14 Jan 2026 11:00:24 GMT

@james Would this obfuscate the n8n frontend, at least partially?

Reply to N8N Security on Wed, 14 Jan 2026 10:59:26 GMT

Teiluj — Wed, 14 Jan 2026 10:59:26 GMT

Hi @jorrg - I am also interested generally on the idea of a Cloudron proxyAuth in front of a publicly accessible Cloudron app, to prevent the kind of scenario you describe.

This kind of functionality seems to be high on demand for Cloudron (see here and here for example)

However, in the meantime, maybe you've seen this post about OIDC and n8n from @luckow ?
Hopefully this could help in this particular case, even if not officially supported by Cloudron (yet?)

Reply to N8N Security on Wed, 14 Jan 2026 10:55:35 GMT

james — Wed, 14 Jan 2026 10:55:35 GMT

Hello @jorrg

@jorrg said in N8N Security:

Is there a way to enable proxyAuth for the official App Store version of n8n? (e.g., via a manual config change or a CLI flag?)

Unfortunately, no.

Also, the only thing this would do is move the brute force from N8N to the Cloudron Proxy Auth.
So nothing really changes.