Educational Resources
1. Hardcoded API Keys - Never put API keys directly in HTTP nodes. Use the credential store instead.
2. Unauthenticated Webhooks - Always enable Header Auth with a strong random token (32+ characters).
3. SQL Injection - Use parameterized queries ($1, $2) instead of string concatenation.
4. No Input Validation - Always validate required fields, formats, and data types.
5. Missing Error Handling - Add Error Trigger nodes with Slack/email alerts.
6. PII Sent to External APIs - Hash emails, mask SSNs before sending to OpenAI/Anthropic.
7. Using HTTP Instead of HTTPS - Always use encrypted connections.
8. Disabled SSL Verification - Keep certificate validation enabled.
9. No Audit Logging - Track all executions with timestamp, user, action.
10. Using eval() in Code Nodes - Use JSON.parse() or refactor logic instead.
What is GDPR? The General Data Protection Regulation requires businesses to protect EU citizens' personal data.
PII (Personally Identifiable Information): Names, email addresses, phone numbers, IP addresses, SSNs, physical addresses
Anonymize PII Before External APIs: Hash emails, mask SSNs before sending to AI services
Add Consent Checking: Only process data if user has given consent
Implement Data Deletion: Create workflows to delete user data on request
Log Everything: Maintain audit logs of all data processing activities
Why Rate Limit? Prevent abuse, control API costs, ensure fair usage, protect downstream services
Types: Per-IP, Per-User, Global
Implementation: Use Code nodes with Redis to track request counts with TTL (time-to-live)
Best Practices: Start conservative (100/hour), return 429 status, include retry-after header, monitor and adjust
Complete video series covering n8n fundamentals and advanced features
Official guide to SSL, authentication, and security best practices
User-created tutorials, workflows, and security tips
Pre-built security workflows for threat detection and monitoring
GDPR-compliant lead capture with validation, PII anonymization, and audit logging
Rate-limited, authenticated webhook handler with comprehensive logging
Automated email responses with input validation and error handling
Bi-directional sync with conflict resolution and comprehensive error handling
Use our analysis engine programmatically in your n8n workflows or applications.
// Add this to an n8n Code node
const workflow = $input.all();
let score = 100;
const issues = [];
// Check for hardcoded secrets
const jsonStr = JSON.stringify(workflow);
if (/api[_-]?key.*['"][a-zA-Z0-9]{20,}['"]/.test(jsonStr)) {
issues.push('Hardcoded API key detected');
score -= 25;
}
return [{ json: { score, issues } }];