Permissive CORS in n8n
Why allowing all origins can expose your workflows to cross-site attacks
What is this issue?
Cross-Origin Resource Sharing (CORS) controls which websites can make requests to your n8n instance. When set to '*' (allow all), any website can invoke your webhooks and potentially access sensitive data.
Signs of permissive CORS:
•Access-Control-Allow-Origin set to '*'•No origin validation on webhook endpoints•Public webhooks accepting requests from any domain•Missing CORS headers configuration
Why is this dangerous?
CSRF attacks
Malicious websites can trigger your workflows on behalf of authenticated users.
Data exfiltration
Attackers can read response data from your webhooks via cross-origin requests.
Credential theft
If responses include tokens or secrets, they can be stolen cross-origin.
Reputation damage
Your n8n instance could be used as a proxy for attacks on other services.
How to fix it
- 1
Restrict allowed origins
Set N8N_CORS_ALLOWED_ORIGINS to your specific domain(s) instead of '*'.
- 2
Use webhook authentication
Always require authentication on webhooks to prevent unauthorized access.
- 3
Validate Origin header
In Code nodes, validate the Origin header before processing requests.
- 4
Use n8n behind reverse proxy
Configure CORS at the reverse proxy level for more control.
Scan your workflow now
Upload your n8n workflow JSON and detect webhooks that may be vulnerable to cross-origin attacks.