SECURITY.md

Security Policy

Supported Versions

We actively maintain and provide security updates for the following versions:

Version	Supported
1.0.x	:white_check_mark:

Reporting a Vulnerability

We take security vulnerabilities seriously. If you discover a security vulnerability in this n8n infrastructure, please report it responsibly.

How to Report

1. Do NOT open a public GitHub issue for security vulnerabilities
2. Send an email to: security@your-domain.com (replace with your actual security contact)
3. Include the following information:
   • Description of the vulnerability
   • Steps to reproduce the issue
   • Potential impact assessment
   • Suggested fix (if available)

What to Expect

• Acknowledgment: Within 48 hours of your report
• Initial Assessment: Within 7 days
• Fix Timeline: Critical issues within 14 days, others within 30 days
• Disclosure: Coordinated disclosure after fix is released

Security Best Practices

For Administrators

1. Environment Variables:

   • Never commit .env files to version control
   • Use GitHub Secrets for all sensitive data
   • Rotate encryption keys regularly (quarterly recommended)

2. Database Security:

   • Always use SSL connections to Supabase
   • Enable Row Level Security (RLS) policies
   • Regular backup encryption validation
   • Monitor for unusual database activity

3. Container Security:

   • Keep n8n version pinned and updated
   • Regular security scanning of Docker images
   • Use non-root user inside containers
   • Limit container network access

4. Access Control:

   • Enable n8n user management
   • Use strong JWT secrets
   • Implement webhook authentication
   • Regular access review and cleanup

For Developers

1. Code Security:

   • No hardcoded credentials in source code
   • Validate all webhook inputs
   • Sanitize user inputs in workflows
   • Use prepared statements for database queries

2. Workflow Security:

   • Audit workflow permissions regularly
   • Secure credential storage in n8n
   • Validate external API responses
   • Implement proper error handling

3. AI Integration Security:

   • Validate AI model outputs
   • Sanitize prompts and inputs
   • Secure API key management
   • Monitor AI usage and costs

Security Checklist

Pre-Deployment

• All secrets configured in GitHub repository
• Database SSL enforcement enabled
• Container security scan passed
• Webhook authentication configured
• Network security policies reviewed

Post-Deployment

• Health monitoring enabled
• Backup encryption verified
• Access logs configured
• Incident response plan ready
• Security contact information updated

Regular Maintenance

• Monthly security updates applied
• Quarterly credential rotation
• Backup integrity verification
• Security audit review
• Vulnerability scanning

Known Security Considerations

1. Hugging Face Spaces: Public spaces expose the application URL. Use authentication and access controls.

2. Vector Embeddings: Knowledge base content may contain sensitive information. Review before indexing.

3. Webhook Endpoints: Publicly accessible URLs should implement proper authentication.

4. Database Access: Ensure Supabase RLS policies are properly configured for your use case.

Incident Response

In case of a security incident:

1. Immediate Actions:

   • Disable affected services if necessary
   • Preserve logs and evidence
   • Assess scope and impact

2. Communication:

   • Notify security team immediately
   • Prepare user communication if needed
   • Coordinate with stakeholders

3. Recovery:

   • Apply security patches
   • Restore from clean backups if needed
   • Verify system integrity
   • Update security measures

Security Resources

• n8n Security Documentation
• Supabase Security Guide
• Docker Security Best Practices
• GitHub Actions Security

Contact

For security-related questions or concerns:

• Email: security@your-domain.com
• Security Team: @security-team (GitHub)

---

Last updated: January 2025