n8n-workflows/SECURITY.md

Security Policy

Reporting Security Vulnerabilities

If you discover a security vulnerability in this project, please report it responsibly by emailing the maintainers directly. Do not create public issues for security vulnerabilities.

Security Fixes Applied (November 2025)

1. Path Traversal Vulnerability (Fixed)

Issue #48: Previously, the API server was vulnerable to path traversal attacks on Windows systems.

Fix Applied:

• Added comprehensive filename validation with validate_filename() function
• Blocks all path traversal patterns including:
  • Parent directory references (.., ../, ..\\)
  • URL-encoded traversal attempts (..%5c, ..%2f)
  • Absolute paths and drive letters
  • Shell special characters and wildcards
• Uses Path.resolve() and relative_to() for defense in depth
• Applied to all file-access endpoints:
  • /api/workflows/{filename}
  • /api/workflows/{filename}/download
  • /api/workflows/{filename}/diagram

2. CORS Misconfiguration (Fixed)

Previously: CORS was configured with allow_origins=["*"], allowing any website to access the API.

Fix Applied:

• Restricted CORS origins to specific allowed domains:
  • Local development ports (3000, 8000, 8080)
  • GitHub Pages (https://zie619.github.io)
  • Community deployment (https://n8n-workflows-1-xxgm.onrender.com)
• Restricted allowed methods to only GET and POST
• Restricted allowed headers to Content-Type and Authorization

3. Unauthenticated Reindex Endpoint (Fixed)

Previously: The /api/reindex endpoint could be called by anyone, potentially causing DoS.

Fix Applied:

• Added authentication requirement via admin_token query parameter
• Token must match ADMIN_TOKEN environment variable
• If no token is configured, the endpoint is disabled
• Added rate limiting to prevent abuse
• Logs all reindex attempts with client IP

4. Rate Limiting (Added)

New Security Feature:

• Implemented rate limiting (60 requests per minute per IP)
• Applied to all sensitive endpoints
• Prevents brute force and DoS attacks
• Returns HTTP 429 when limit exceeded

Security Configuration

Environment Variables

# Required for reindex endpoint
export ADMIN_TOKEN="your-secure-random-token"

# Optional: Configure rate limiting (default: 60)
# MAX_REQUESTS_PER_MINUTE=60

CORS Configuration

To add additional allowed origins, modify the ALLOWED_ORIGINS list in api_server.py:

ALLOWED_ORIGINS = [
    "http://localhost:3000",
    "http://localhost:8000",
    "https://your-domain.com",  # Add your production domain
]

Security Best Practices

1. Environment Variables: Never commit sensitive tokens or credentials to the repository
2. HTTPS Only: Always use HTTPS in production (HTTP is only for local development)
3. Regular Updates: Keep all dependencies updated to patch known vulnerabilities
4. Monitoring: Monitor logs for suspicious activity patterns
5. Backup: Regular backups of the workflows database

Security Checklist for Deployment

• Set strong ADMIN_TOKEN environment variable
• Configure CORS origins for your specific domain
• Use HTTPS with valid SSL certificate
• Enable firewall rules to restrict access
• Set up monitoring and alerting
• Review and rotate admin tokens regularly
• Keep Python and all dependencies updated
• Use a reverse proxy (nginx/Apache) with additional security headers

Additional Security Headers (Recommended)

When deploying behind a reverse proxy, add these headers:

add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self'";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

Vulnerability Disclosure Timeline

Date	Issue	Status	Fixed Version
Oct 2025	Path Traversal (#48)	Fixed	2.0.1
Nov 2025	CORS Misconfiguration	Fixed	2.0.1
Nov 2025	Unauthenticated Reindex	Fixed	2.0.1

Credits

Security issues reported by:

• Path Traversal: Community contributor via Issue #48

Contact

For security concerns, please contact the maintainers privately.