# Module 06: Security Best Practices

**Difficulty**: ‚≠ê‚≠ê  
**Estimated Time**: 50 minutes  
**Prerequisites**: 
- Module 04: Initial Configuration and First Workflow
- Basic understanding of network security concepts
- Administrator access to Windows

## Learning Objectives

By the end of this notebook, you will be able to:

1. Configure basic authentication to protect your n8n instance
2. Manage encryption keys for secure credential storage
3. Configure Windows Firewall to control network access
4. Understand and mitigate common security risks
5. Implement webhook authentication for external triggers

## Why Security Matters for n8n

n8n can access sensitive data and execute powerful automations. Without proper security:

- **Unauthorized access**: Anyone on your network can view/modify workflows
- **Credential theft**: API keys and passwords stored in n8n can be stolen
- **Resource abuse**: Attackers can execute workflows consuming CPU/bandwidth
- **Data leaks**: Workflow data might contain personal or business information

### The Security Triad for n8n

1. **Authentication**: Who can access n8n?
2. **Encryption**: How are credentials protected?
3. **Network isolation**: Where can n8n be accessed from?

**Real-world scenario**: A developer runs n8n on their laptop without authentication. A colleague on the same WiFi network finds the n8n instance, browses workflows, and accidentally sees API keys for production services. These credentials leak when the colleague's laptop is compromised by malware.

**Prevention**: 5 minutes of security configuration eliminates this risk.

## Part 1: Basic Authentication Configuration

Basic authentication provides HTTP-level protection before users reach the n8n interface.

### How It Works

```
User ‚Üí Opens http://localhost:5678
     ‚Üí Browser shows login prompt
     ‚Üí User enters username/password
     ‚Üí If correct: n8n interface loads
     ‚Üí If incorrect: Access denied
```

### Environment Variables

Three variables control basic auth:

| Variable | Values | Purpose |
|----------|--------|----------|
| `N8N_BASIC_AUTH_ACTIVE` | `true` / `false` | Enables/disables basic auth |
| `N8N_BASIC_AUTH_USER` | Any string | Username for login |
| `N8N_BASIC_AUTH_PASSWORD` | Any string | Password for login |

### Configuration Methods

#### Method 1: Batch Script (npm - Recommended)

Create `C:\n8n\start-n8n-secure.bat`:

```batch
@echo off
REM n8n Secure Startup Script

REM Basic Authentication
SET N8N_BASIC_AUTH_ACTIVE=true
SET N8N_BASIC_AUTH_USER=admin
SET N8N_BASIC_AUTH_PASSWORD=MySecurePassword123!

REM Timezone Configuration
SET GENERIC_TIMEZONE=America/New_York

REM Start n8n
echo Starting n8n with authentication enabled...
n8n
```

**Usage**: Double-click the batch file to start n8n with authentication.

#### Method 2: PowerShell Session (npm - Temporary)

```powershell
$env:N8N_BASIC_AUTH_ACTIVE="true"
$env:N8N_BASIC_AUTH_USER="admin"
$env:N8N_BASIC_AUTH_PASSWORD="MySecurePassword123!"
n8n
```

**Note**: These variables only last for the current PowerShell session.

#### Method 3: System Environment Variables (npm - Permanent)

1. Press `Win + R`, type `sysdm.cpl`, press Enter
2. Click "Environment Variables" button
3. Under "User variables", click "New"
4. Add each variable:
   - Variable name: `N8N_BASIC_AUTH_ACTIVE`
   - Variable value: `true`
5. Click "OK"
6. Repeat for USER and PASSWORD variables
7. Restart all terminals

#### Method 4: Docker Compose (Docker - Recommended)

Edit `C:\n8n-docker\docker-compose.yml`:

```yaml
services:
  n8n:
    image: docker.n8n.io/n8nio/n8n
    container_name: n8n
    ports:
      - "5678:5678"
    environment:
      - GENERIC_TIMEZONE=America/New_York
      - N8N_BASIC_AUTH_ACTIVE=true
      - N8N_BASIC_AUTH_USER=admin
      - N8N_BASIC_AUTH_PASSWORD=MySecurePassword123!
      - N8N_ENCRYPTION_KEY=your-32-character-encryption-key
    volumes:
      - n8n_data:/home/node/.n8n
    restart: unless-stopped

volumes:
  n8n_data:
```

Restart: `docker compose restart`

In [None]:
# Password strength checker

import re

def check_password_strength(password):
    """
    Evaluate password strength and provide recommendations.
    
    Returns a score (0-100) and feedback.
    """
    print("=" * 70)
    print("PASSWORD STRENGTH ANALYZER")
    print("=" * 70)
    
    score = 0
    feedback = []
    
    # Length check
    length = len(password)
    if length >= 16:
        score += 30
        feedback.append("‚úÖ Excellent length (16+ characters)")
    elif length >= 12:
        score += 25
        feedback.append("‚úÖ Good length (12+ characters)")
    elif length >= 8:
        score += 15
        feedback.append("‚ö†Ô∏è  Minimum length (8 characters)")
    else:
        feedback.append("‚ùå Too short (less than 8 characters)")
    
    # Character variety checks
    if re.search(r'[a-z]', password):
        score += 10
        feedback.append("‚úÖ Contains lowercase letters")
    else:
        feedback.append("‚ùå Missing lowercase letters")
    
    if re.search(r'[A-Z]', password):
        score += 10
        feedback.append("‚úÖ Contains uppercase letters")
    else:
        feedback.append("‚ùå Missing uppercase letters")
    
    if re.search(r'[0-9]', password):
        score += 10
        feedback.append("‚úÖ Contains numbers")
    else:
        feedback.append("‚ùå Missing numbers")
    
    if re.search(r'[!@#$%^&*(),.?":{}|<>]', password):
        score += 15
        feedback.append("‚úÖ Contains special characters")
    else:
        feedback.append("‚ö†Ô∏è  Missing special characters")
    
    # Common pattern checks
    common_patterns = ['123', 'abc', 'password', 'admin', 'qwerty']
    if any(pattern in password.lower() for pattern in common_patterns):
        score -= 20
        feedback.append("‚ùå Contains common patterns")
    else:
        score += 15
        feedback.append("‚úÖ No common patterns detected")
    
    # Determine rating
    if score >= 80:
        rating = "STRONG"
        color = "‚úÖ"
    elif score >= 60:
        rating = "MODERATE"
        color = "‚ö†Ô∏è"
    else:
        rating = "WEAK"
        color = "‚ùå"
    
    # Print results
    print(f"\nPassword: {'*' * len(password)}")
    print(f"\nScore: {score}/100")
    print(f"Rating: {color} {rating}")
    print("\nAnalysis:")
    for item in feedback:
        print(f"  {item}")
    
    print("\n" + "=" * 70)
    
    # Recommendations
    if score < 80:
        print("\nüí° RECOMMENDATIONS:")
        if length < 12:
            print("   ‚Ä¢ Use at least 12 characters (16+ is better)")
        if not re.search(r'[!@#$%^&*(),.?":{}|<>]', password):
            print("   ‚Ä¢ Add special characters (!@#$%^&*)")
        if any(pattern in password.lower() for pattern in common_patterns):
            print("   ‚Ä¢ Avoid common words and patterns")
        print("   ‚Ä¢ Consider using a password manager")
        print("   ‚Ä¢ Use a passphrase: 4-5 random words")
    
    return score, rating

# Test with sample passwords
test_passwords = [
    "admin123",
    "MySecurePassword123!",
    "correct-horse-battery-staple-2024"
]

for pwd in test_passwords:
    check_password_strength(pwd)
    print("\n" + "="*70 + "\n")

## Part 2: Encryption Key Management

n8n encrypts all credentials (API keys, passwords, OAuth tokens) before storing them in the database.

### The Encryption Key

- **Auto-generated**: Created on first n8n launch
- **Location**: `C:\Users\YourUsername\.n8n\config` (npm) or in the Docker volume
- **Critical**: Without this key, credentials cannot be decrypted

### Why This Matters

Scenario: You backup your .n8n directory but forget the encryption key. Later, you restore the backup. Your workflows load, but all credentials show as "[Encrypted]" and cannot be used.

**Solution**: Always backup the encryption key separately.

### Setting a Custom Encryption Key

**Before first n8n launch**, set `N8N_ENCRYPTION_KEY`:

```batch
SET N8N_ENCRYPTION_KEY=a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
```

**Requirements**:
- At least 10 characters (recommended: 32+)
- Random characters (letters, numbers, symbols)
- Same key must be used consistently

### Generating a Secure Key

**Using PowerShell**:

```powershell
# Generate 32 random characters
-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 32 | ForEach-Object {[char]$_})
```

**Using OpenSSL** (if installed):

```bash
openssl rand -base64 32
```

### Storing the Encryption Key Safely

‚úÖ **DO**:
- Store in a password manager (1Password, Bitwarden, KeePass)
- Keep encrypted backup on separate drive
- Document where the key is stored

‚ùå **DON'T**:
- Commit to Git repositories
- Store in plain text files on the same system
- Email or message to yourself
- Store only in Windows environment variables (can be lost)

In [None]:
# Encryption key generator

import secrets
import string

def generate_encryption_key(length=32):
    """
    Generate a cryptographically secure encryption key.
    
    Args:
        length: Key length in characters (default: 32)
    
    Returns:
        Secure random string suitable for N8N_ENCRYPTION_KEY
    """
    print("=" * 70)
    print("N8N ENCRYPTION KEY GENERATOR")
    print("=" * 70)
    
    # Use cryptographically secure random generator
    alphabet = string.ascii_letters + string.digits + "!@#$%^&*()-_=+"
    key = ''.join(secrets.choice(alphabet) for _ in range(length))
    
    print(f"\nüîë Generated Encryption Key ({length} characters):\n")
    print(f"   {key}")
    
    print("\n" + "=" * 70)
    print("\n‚ö†Ô∏è  IMPORTANT INSTRUCTIONS:")
    print("\n1. COPY this key immediately")
    print("2. STORE in a password manager or secure vault")
    print("3. ADD to your startup script:")
    print("\n   Batch file:")
    print(f"   SET N8N_ENCRYPTION_KEY={key}")
    print("\n   PowerShell:")
    print(f"   $env:N8N_ENCRYPTION_KEY=\"{key}\"")
    print("\n   Docker Compose:")
    print(f"   - N8N_ENCRYPTION_KEY={key}")
    print("\n4. BACKUP this key separately from your n8n data")
    print("5. NEVER commit to Git or share publicly")
    print("\n" + "=" * 70)
    
    return key

# Generate a new key
new_key = generate_encryption_key(32)

# Also generate a longer key option
print("\n\n")
extra_secure_key = generate_encryption_key(64)

## Part 3: Network Exposure and Windows Firewall

### Understanding Network Binding

By default, n8n listens on `0.0.0.0:5678`, meaning:
- Accessible from `localhost` (same computer)
- Accessible from network (other devices on WiFi/LAN)
- **NOT** accessible from internet (unless you configure port forwarding)

### Security Levels

| Configuration | Accessibility | Security | Use Case |
|---------------|---------------|----------|----------|
| `N8N_HOST=127.0.0.1` | Localhost only | Highest | Development |
| `N8N_HOST=0.0.0.0` + Firewall | Trusted IPs only | High | Team access |
| `N8N_HOST=0.0.0.0` No firewall | Full network | Low | Never do this |
| Port forwarding | Internet | Dangerous | Needs reverse proxy + SSL |

### Localhost-Only Configuration

**For maximum security during development**:

```batch
SET N8N_HOST=127.0.0.1
SET N8N_PORT=5678
n8n
```

This makes n8n **only** accessible from your computer, not from network.

### Configuring Windows Firewall

If you need network access, configure Windows Firewall to allow only trusted connections.

#### Step-by-Step: Create Firewall Rule

1. Press `Win + R`, type `wf.msc`, press Enter (opens Windows Defender Firewall)
2. Click "Inbound Rules" in left panel
3. Click "New Rule..." in right panel
4. Select "Port", click Next
5. Select "TCP"
6. Enter "5678" in "Specific local ports"
7. Click Next
8. Select "Allow the connection"
9. Click Next
10. Check: Domain, Private, Public (or only Private for home networks)
11. Click Next
12. Name: "n8n Automation Server"
13. Click Finish

#### PowerShell Method (Administrator)

```powershell
# Create firewall rule allowing n8n on port 5678
New-NetFirewallRule -DisplayName "n8n Automation" `
  -Direction Inbound `
  -Protocol TCP `
  -LocalPort 5678 `
  -Action Allow `
  -Profile Private
```

#### Remove Firewall Rule

```powershell
Remove-NetFirewallRule -DisplayName "n8n Automation"
```

### Testing Network Access

1. Find your computer's IP address:
   ```
   ipconfig
   ```
   Look for "IPv4 Address" (e.g., 192.168.1.100)

2. From another device on the same network, open:
   ```
   http://192.168.1.100:5678
   ```

3. Should see n8n login (if firewall allows, otherwise timeout)

In [None]:
# Network configuration validator

import socket
import subprocess
import platform

def check_network_configuration():
    """
    Check n8n network accessibility and provide security recommendations.
    """
    print("=" * 70)
    print("N8N NETWORK SECURITY AUDIT")
    print("=" * 70)
    
    # Get local IP addresses
    hostname = socket.gethostname()
    try:
        local_ip = socket.gethostbyname(hostname)
        print(f"\nüñ•Ô∏è  Computer Name: {hostname}")
        print(f"üåê Local IP Address: {local_ip}")
    except:
        print("\n‚ö†Ô∏è  Could not determine local IP address")
        local_ip = None
    
    # Check if port 5678 is listening
    print("\n" + "‚îÄ" * 70)
    print("PORT ACCESSIBILITY CHECK")
    print("‚îÄ" * 70)
    
    port = 5678
    
    # Check localhost
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.settimeout(2)
    localhost_result = sock.connect_ex(('127.0.0.1', port))
    sock.close()
    
    if localhost_result == 0:
        print(f"‚úÖ Port {port} is accessible on LOCALHOST")
        print(f"   ‚Üí http://localhost:{port}")
    else:
        print(f"‚ùå Port {port} is NOT accessible on localhost")
        print("   ‚Üí n8n may not be running")
    
    # Check network IP (if available)
    if local_ip and local_ip != '127.0.0.1':
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(2)
        network_result = sock.connect_ex((local_ip, port))
        sock.close()
        
        if network_result == 0:
            print(f"‚ö†Ô∏è  Port {port} is accessible on NETWORK")
            print(f"   ‚Üí http://{local_ip}:{port}")
            print("   ‚Üí Other devices on your network can access n8n")
        else:
            print(f"‚úÖ Port {port} is NOT accessible on network")
            print("   ‚Üí n8n is localhost-only or firewall is blocking")
    
    # Security recommendations
    print("\n" + "‚îÄ" * 70)
    print("SECURITY RECOMMENDATIONS")
    print("‚îÄ" * 70)
    
    if localhost_result == 0:
        print("\n‚úÖ n8n is running and accessible locally")
        print("\nSecurity checklist:")
        print("  ‚ñ° Basic authentication enabled (N8N_BASIC_AUTH_ACTIVE=true)")
        print("  ‚ñ° Strong password configured (12+ characters)")
        print("  ‚ñ° Encryption key backed up securely")
        
        if local_ip and network_result == 0:
            print("\n‚ö†Ô∏è  NETWORK ACCESS DETECTED")
            print("\nAdditional security required:")
            print("  ‚ñ° Windows Firewall rules configured")
            print("  ‚ñ° Only trusted IPs have access")
            print("  ‚ñ° Regular security audits performed")
            print("\nüí° Consider restricting to localhost-only:")
            print("   SET N8N_HOST=127.0.0.1")
        else:
            print("\n‚úÖ Network access blocked (localhost-only)")
            print("   This is the most secure configuration for development")
    else:
        print("\n‚ÑπÔ∏è  n8n is not running")
        print("   Start n8n to perform security audit")
    
    print("\n" + "=" * 70)

# Run the audit
check_network_configuration()

## Part 4: Webhook Authentication and Security

Webhooks allow external services to trigger n8n workflows, but they need protection.

### Webhook Security Risks

Without authentication:
- Anyone with the webhook URL can trigger your workflow
- Attackers can spam requests, consuming resources
- Malicious data can be injected into your workflows

### Webhook Authentication Methods

#### 1. Header Authentication

Require a secret token in the HTTP header:

1. In webhook node, add "Header Auth"
2. Set header name: `X-Webhook-Token`
3. Set expected value: `your-secret-token-here`
4. External service must send this header

**Example request**:
```bash
curl -X POST https://your-n8n.com/webhook/abc123 \
  -H "X-Webhook-Token: your-secret-token-here" \
  -d '{"data": "value"}'
```

#### 2. Query Parameter Authentication

Include token in the URL:

```
https://your-n8n.com/webhook/abc123?token=your-secret-token
```

**Warning**: Tokens in URLs can be logged in server logs and browser history.

#### 3. IP Whitelist (IF Node)

Check the requesting IP address:

1. Add IF node after webhook
2. Condition: `{{ $json["headers"]["x-forwarded-for"] }}` equals `trusted.ip.address`
3. If false, workflow stops

#### 4. HMAC Signature Verification

For services that support it (GitHub, Stripe, etc.):

1. Service signs payload with shared secret
2. Sends signature in header
3. n8n verifies signature matches

### Best Practices for Webhooks

‚úÖ **DO**:
- Use HTTPS URLs (requires reverse proxy)
- Generate long, random webhook paths
- Implement authentication (header or signature)
- Log all webhook requests for auditing
- Validate incoming data structure

‚ùå **DON'T**:
- Use simple webhook paths like `/webhook/test`
- Expose sensitive data in webhook responses
- Process untrusted data without validation
- Use HTTP without authentication

In [None]:
# Generate secure webhook tokens

import secrets
import string

def generate_webhook_token(length=32):
    """
    Generate a secure token for webhook authentication.
    """
    alphabet = string.ascii_letters + string.digits
    token = ''.join(secrets.choice(alphabet) for _ in range(length))
    return token

def generate_webhook_path():
    """
    Generate a random webhook path that's hard to guess.
    """
    return secrets.token_urlsafe(16)

print("=" * 70)
print("WEBHOOK SECURITY CONFIGURATION GENERATOR")
print("=" * 70)

# Generate multiple security elements
webhook_path = generate_webhook_path()
auth_token = generate_webhook_token(32)

print("\nüìå WEBHOOK PATH (hard to guess):")
print(f"   {webhook_path}")
print(f"\n   Full URL: http://localhost:5678/webhook/{webhook_path}")

print("\nüîê AUTHENTICATION TOKEN:")
print(f"   {auth_token}")

print("\n" + "‚îÄ" * 70)
print("CONFIGURATION INSTRUCTIONS")
print("‚îÄ" * 70)

print("\n1. In n8n Webhook node:")
print(f"   ‚Ä¢ Path: {webhook_path}")
print("   ‚Ä¢ HTTP Method: POST")
   "   ‚Ä¢ Authentication: Header Auth")
print("   ‚Ä¢ Header Name: X-Webhook-Token")
print(f"   ‚Ä¢ Header Value: {auth_token}")

print("\n2. When calling the webhook:")
print("\n   Using curl:")
print(f"   curl -X POST http://localhost:5678/webhook/{webhook_path} \\")
print(f"     -H 'X-Webhook-Token: {auth_token}' \\")
print("     -H 'Content-Type: application/json' \\")
print("     -d '{\"message\": \"Hello n8n\"}'")

print("\n   Using Python requests:")
print("   import requests")
print(f"   url = 'http://localhost:5678/webhook/{webhook_path}'")
print(f"   headers = {{'X-Webhook-Token': '{auth_token}'}}")
print("   data = {'message': 'Hello n8n'}")
print("   response = requests.post(url, json=data, headers=headers)")

print("\n" + "=" * 70)
print("\nüí° SECURITY TIPS:")
print("   ‚Ä¢ Store these values in a password manager")
print("   ‚Ä¢ Never commit tokens to Git repositories")
print("   ‚Ä¢ Regenerate tokens if they're exposed")
print("   ‚Ä¢ Use HTTPS in production (requires reverse proxy)")
print("=" * 70)

## Part 5: Security Best Practices Checklist

Use this checklist to ensure your n8n installation is secure.

### Essential (Do Before Network Access)

- [ ] Basic authentication enabled
- [ ] Strong password configured (12+ characters, mixed case, numbers, symbols)
- [ ] Encryption key backed up to password manager
- [ ] Running on localhost-only OR firewall configured

### Recommended (Production)

- [ ] Custom encryption key set before first launch
- [ ] Windows Firewall rules configured for specific IPs only
- [ ] Webhook authentication implemented
- [ ] Regular backups of .n8n directory
- [ ] Separate encryption key backup location
- [ ] Documented security procedures

### Advanced (Team/Enterprise)

- [ ] Reverse proxy with SSL/TLS (Nginx, Caddy)
- [ ] Fail2ban or similar intrusion detection
- [ ] VPN access for remote team members
- [ ] Audit logging enabled
- [ ] Regular security reviews
- [ ] Incident response plan

### Common Security Mistakes

‚ùå **Running without authentication on WiFi**
   ‚Üí Anyone on your network can access n8n

‚ùå **Using weak passwords** (`admin`, `password123`)
   ‚Üí Easily guessed by attackers

‚ùå **Not backing up encryption key**
   ‚Üí Lose access to all stored credentials

‚ùå **Exposing port 5678 to internet without SSL**
   ‚Üí Credentials transmitted in plain text

‚ùå **Using production API keys in development**
   ‚Üí Risk exposing real credentials

‚ùå **Committing .env files to Git**
   ‚Üí Secrets leaked to repository

In [None]:
# Security audit checklist generator

import datetime

def generate_security_audit():
    """
    Generate a security audit checklist for n8n installation.
    """
    print("=" * 70)
    print("N8N SECURITY AUDIT CHECKLIST")
    print(f"Generated: {datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S')}")
    print("=" * 70)
    
    categories = {
        "AUTHENTICATION": [
            "Basic authentication enabled (N8N_BASIC_AUTH_ACTIVE=true)",
            "Strong password configured (12+ characters)",
            "Password stored in password manager",
            "No default credentials in use"
        ],
        "ENCRYPTION": [
            "Custom encryption key generated",
            "Encryption key backed up securely",
            "Encryption key NOT in version control",
            "Backup tested and verified"
        ],
        "NETWORK SECURITY": [
            "n8n bound to localhost OR firewall configured",
            "Windows Firewall rules created and tested",
            "Only required ports exposed",
            "Network access tested from trusted devices only"
        ],
        "WEBHOOK SECURITY": [
            "Webhook authentication implemented",
            "Random, hard-to-guess webhook paths used",
            "HTTPS enabled (if production)",
            "Webhook tokens rotated regularly"
        ],
        "OPERATIONAL SECURITY": [
            "Regular backups scheduled",
            "Backup restoration tested",
            "Execution logs reviewed periodically",
            "Unused workflows disabled",
            "Old execution data pruned"
        ],
        "CREDENTIAL MANAGEMENT": [
            "Production credentials separate from development",
            "Credentials reviewed and rotated regularly",
            "Unused credentials removed",
            "Credential access audited"
        ]
    }
    
    for category, items in categories.items():
        print(f"\n{category}")
        print("‚îÄ" * 70)
        for item in items:
            print(f"  [ ] {item}")
    
    print("\n" + "=" * 70)
    print("\nSCORING GUIDE:")
    print("  Essential (first 4 categories): Must complete ALL items")
    print("  Recommended (last 2 categories): Complete 80%+ items")
    print("\nNEXT REVIEW DATE: _______________")
    print("REVIEWED BY: _______________")
    print("=" * 70)

# Generate the audit
generate_security_audit()

## Exercises

### Exercise 1: Configure Complete Authentication (Easy)

**Task**: Set up basic authentication for your n8n instance.

**Steps**:
1. Stop n8n if it's running
2. Create a batch script `C:\n8n\start-n8n-secure.bat`
3. Add basic authentication environment variables
4. Use the password strength checker to verify your password
5. Start n8n using the batch script
6. Test accessing http://localhost:5678 (should prompt for login)
7. Verify you can log in with your credentials

**Verification**: Browser shows login prompt, and you can successfully authenticate.

**Deliverable**: Screenshot of successful login prompt and working n8n interface.

### Exercise 2: Set Up Windows Firewall Rules (Medium)

**Task**: Configure Windows Firewall to allow n8n access only on private networks.

**Steps**:
1. Open Windows Defender Firewall with Advanced Security
2. Create inbound rule for TCP port 5678
3. Configure to allow only on "Private" network profile
4. Test from another device on your network
5. Switch Windows to "Public" network profile
6. Verify access is blocked
7. Switch back to "Private" profile
8. Verify access is restored

**Verification**: Access works on private network, blocked on public.

**Deliverable**: Document the firewall rule settings and test results.

### Exercise 3: Implement Webhook Security (Hard)

**Task**: Create a secure webhook workflow with authentication.

**Steps**:
1. Use the webhook token generator to create a secure token
2. Create a new workflow in n8n
3. Add a Webhook node with:
   - Random path from generator
   - Header authentication enabled
   - Header name: `X-Webhook-Token`
   - Expected value: your generated token
4. Add a Set node to extract and log the received data
5. Test webhook WITHOUT authentication token (should fail)
6. Test webhook WITH correct token (should succeed)
7. Test webhook with WRONG token (should fail)

**Verification**: Only requests with correct token succeed.

**Deliverable**: Workflow screenshot and test results showing all three scenarios.

## Summary

In this module, you learned comprehensive security practices for n8n:

### Authentication & Access Control
1. **Basic Authentication**: HTTP-level protection with username/password
2. **Configuration Methods**: Batch scripts, environment variables, Docker Compose
3. **Password Strength**: Minimum 12 characters, mixed case, numbers, symbols
4. **Testing**: Verify authentication prompts appear before access

### Encryption & Key Management
5. **Encryption Key**: Protects stored credentials in database
6. **Key Generation**: Use cryptographically secure random generators
7. **Backup Strategy**: Store separately from n8n data, use password managers
8. **Custom Keys**: Set before first launch for consistency

### Network Security
9. **Binding Configuration**: Localhost-only vs network access
10. **Windows Firewall**: Control which networks can access n8n
11. **Network Profiles**: Different rules for private vs public networks
12. **Testing**: Verify access from multiple network configurations

### Webhook Protection
13. **Authentication Methods**: Headers, query parameters, IP whitelisting
14. **Token Generation**: Long, random tokens for each webhook
15. **HMAC Signatures**: For services that support cryptographic verification
16. **Best Practices**: HTTPS, validation, logging, monitoring

### Security Audit
17. **Essential Checklist**: Minimum security for any installation
18. **Production Checklist**: Additional requirements for team/business use
19. **Common Mistakes**: Avoiding typical security pitfalls
20. **Regular Reviews**: Scheduled audits and updates

### Key Takeaways

‚úÖ **Always enable authentication** before allowing network access  
‚úÖ **Backup encryption keys** separately from n8n data  
‚úÖ **Use strong passwords** (12+ characters minimum)  
‚úÖ **Configure firewalls** to limit access to trusted networks  
‚úÖ **Implement webhook authentication** for all external triggers  
‚úÖ **Regular security audits** prevent gradual security degradation  

### Security Levels

**Minimum (Development)**:
- Basic auth enabled
- Localhost-only binding
- Encryption key backed up

**Recommended (Personal Production)**:
- All minimum requirements
- Windows Firewall configured
- Webhook authentication
- Regular backups

**Advanced (Team/Business)**:
- All recommended requirements
- Reverse proxy with SSL
- VPN or private network access
- Audit logging
- Security monitoring

### What's Next

- **Module 07**: Performance optimization for Windows laptops
- **Module 08**: Automatic startup configuration
- **Module 09**: Updates and maintenance procedures
- **Module 10**: Production deployment strategies

### Additional Resources

- [n8n Security Documentation](https://docs.n8n.io/hosting/configuration/security/)
- [Windows Firewall Guide](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/)
- [Password Manager Recommendations](https://www.nist.gov/password)
- [OWASP Security Best Practices](https://owasp.org/www-project-top-ten/)

### Remember

Security is not a one-time setup‚Äîit's an ongoing practice. Review your security configuration monthly, update passwords quarterly, and audit access logs regularly. The 30 minutes invested in proper security setup prevents hours of recovery from security incidents.