# How to Secure n8n with Basic Authentication

- Tool: n8n
- Difficulty: Beginner
- Time required: 10 minutes
- Compatibility: n8n 0.x to 1.x (deprecated in v2+, use user management instead)
- Last updated: March 2026

## TL;DR

Secure n8n with basic authentication by setting N8N_BASIC_AUTH_ACTIVE=true along with N8N_BASIC_AUTH_USER and N8N_BASIC_AUTH_PASSWORD environment variables. Note that basic auth is deprecated in n8n v2 and replaced by built-in user management. For new installations, set up user accounts through the n8n UI instead.

## Why Secure n8n with Authentication

By default, a self-hosted n8n instance is accessible to anyone who can reach its URL. Without authentication, anyone on your network or the internet can view, edit, and execute your workflows, including any credentials stored in them. Basic authentication adds a username and password prompt before anyone can access the n8n editor. While this was the standard approach in older n8n versions, n8n v2 introduced built-in user management with proper accounts, roles, and password hashing. This tutorial covers both the legacy basic auth method and the recommended modern approach.

## Before you start

- A self-hosted n8n instance (npm or Docker)
- Access to the server terminal or Docker configuration
- Ability to set environment variables and restart n8n
- A strong password ready for your n8n account

## Step-by-step guide

### 1. Enable basic auth with environment variables (legacy)

For n8n versions before v2, set three environment variables to enable basic authentication. N8N_BASIC_AUTH_ACTIVE enables the feature, and the other two set the credentials. After setting these variables, restart n8n. Every request to the n8n UI and API will require these credentials. This method uses HTTP Basic Authentication, which sends credentials in base64-encoded headers. Always use HTTPS in production to prevent credentials from being intercepted.

```
# Set basic auth environment variables
export N8N_BASIC_AUTH_ACTIVE=true
export N8N_BASIC_AUTH_USER=admin
export N8N_BASIC_AUTH_PASSWORD=your-strong-password-here

# Restart n8n
n8n start
```

**Expected result:** n8n starts and immediately prompts for a username and password when you open the editor in your browser.

### 2. Configure basic auth in Docker

When running n8n in Docker, pass the basic auth environment variables via docker run flags or a docker-compose.yml file. The compose approach is recommended because it keeps your configuration in a version-controlled file and makes it easy to update. Never put passwords directly in a Dockerfile or commit them to version control. Use a .env file alongside your docker-compose.yml instead.

```
# docker-compose.yml with basic auth (legacy)
version: '3.8'
services:
  n8n:
    image: docker.n8n.io/n8nio/n8n
    restart: unless-stopped
    ports:
      - '5678:5678'
    environment:
      - N8N_BASIC_AUTH_ACTIVE=true
      - N8N_BASIC_AUTH_USER=${N8N_USER}
      - N8N_BASIC_AUTH_PASSWORD=${N8N_PASSWORD}
    volumes:
      - n8n_data:/home/node/.n8n

volumes:
  n8n_data:
```

**Expected result:** n8n starts in Docker with basic auth enabled. The browser prompts for credentials before showing the editor.

### 3. Migrate to user management in n8n v2+

Basic auth is deprecated in n8n v2 and later. Instead, n8n now includes built-in user management with proper account creation, password hashing, and role-based access. When you first start n8n v2 without any users configured, it presents a setup screen where you create an owner account. Remove the basic auth environment variables and let n8n handle authentication natively. This is more secure because passwords are hashed with bcrypt instead of sent as plaintext in HTTP headers.

```
# Remove deprecated basic auth variables
# Delete or comment out these lines:
# N8N_BASIC_AUTH_ACTIVE=true
# N8N_BASIC_AUTH_USER=admin
# N8N_BASIC_AUTH_PASSWORD=password

# n8n v2+ uses built-in user management
# Just start n8n — it will prompt you to create an owner account
n8n start

# To disable user management (NOT recommended):
# export N8N_USER_MANAGEMENT_DISABLED=true
```

**Expected result:** n8n starts and shows a setup screen to create the first owner account with email and password. After setup, the login screen appears on every visit.

### 4. Add a reverse proxy for additional security

Regardless of which authentication method you use, place n8n behind a reverse proxy like Nginx or Caddy for production deployments. A reverse proxy adds TLS encryption (HTTPS), rate limiting, and IP-based access controls. This prevents credentials from being transmitted in plaintext and adds defense-in-depth. The reverse proxy handles SSL termination while n8n runs on HTTP internally.

```
# Nginx configuration for n8n with SSL
server {
    listen 443 ssl;
    server_name n8n.example.com;

    ssl_certificate /etc/letsencrypt/live/n8n.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/n8n.example.com/privkey.pem;

    location / {
        proxy_pass http://localhost:5678;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}
```

**Expected result:** n8n is accessible only through HTTPS at your domain. All traffic is encrypted, and the reverse proxy forwards requests to n8n on localhost.

## Complete code example

File: `docker-compose.yml`

```yaml
# docker-compose.yml — n8n with modern user management and Caddy reverse proxy
version: '3.8'

services:
  caddy:
    image: caddy:2
    restart: unless-stopped
    ports:
      - '80:80'
      - '443:443'
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config

  n8n:
    image: docker.n8n.io/n8nio/n8n
    restart: unless-stopped
    expose:
      - '5678'
    environment:
      # User management is enabled by default in v2+
      # No basic auth variables needed
      - N8N_HOST=n8n.example.com
      - N8N_PORT=5678
      - N8N_PROTOCOL=https
      - WEBHOOK_URL=https://n8n.example.com/
      - N8N_SECURE_COOKIE=true
      - GENERIC_TIMEZONE=America/New_York
    volumes:
      - n8n_data:/home/node/.n8n

volumes:
  n8n_data:
  caddy_data:
  caddy_config:

# Caddyfile (save as ./Caddyfile):
# n8n.example.com {
#   reverse_proxy n8n:5678
# }
```

## Common mistakes

- **Using basic auth over HTTP without a reverse proxy** — undefined Fix: Basic auth sends credentials in base64 (not encrypted). Always use HTTPS via a reverse proxy or set N8N_PROTOCOL=https with SSL certificates.
- **Setting basic auth variables on n8n v2+ and wondering why they are ignored** — undefined Fix: Basic auth is deprecated in n8n v2. Remove the variables and use the built-in user management system instead.
- **Committing passwords to version control in docker-compose.yml** — undefined Fix: Use environment variable references like ${N8N_PASSWORD} and store actual values in a .env file that is listed in .gitignore.
- **Running n8n on a public IP without any authentication** — undefined Fix: Always enable either basic auth (legacy) or user management (v2+) before exposing n8n to the internet. Use firewall rules to restrict access.

## Best practices

- Use n8n v2+ built-in user management instead of deprecated basic auth
- Always use HTTPS in production to encrypt authentication credentials in transit
- Store passwords in a .env file, never hardcode them in docker-compose.yml or scripts
- Place n8n behind a reverse proxy like Nginx or Caddy for TLS termination and rate limiting
- Use strong passwords with at least 16 characters, mixing letters, numbers, and symbols
- Restrict network access to the n8n port using firewall rules so only the reverse proxy can reach it
- Enable N8N_SECURE_COOKIE=true when running behind HTTPS to prevent cookie hijacking

## Frequently asked questions

### Is basic auth still supported in n8n v2?

Basic auth environment variables are deprecated in n8n v2 and may be ignored. n8n v2 uses built-in user management with proper login accounts. Remove the basic auth variables and create a user account through the n8n setup screen.

### Can I have multiple user accounts in n8n?

Yes. n8n v2+ supports multiple user accounts with owner and member roles. The owner can invite new users via email from Settings > Users in the n8n editor.

### Does basic auth protect webhook endpoints?

No. Basic auth only protects the n8n editor UI and REST API. Webhook endpoints are accessible without authentication unless you add header-based validation in the Webhook node settings.

### How do I reset a forgotten password in n8n v2?

Use the password reset flow in the login screen if email is configured. For self-hosted without email, you can reset credentials by accessing the n8n database directly or using the n8n CLI command: n8n user-management:reset.

### Is n8n Cloud already secured?

Yes. n8n Cloud includes built-in user management, HTTPS, and access controls by default. You do not need to configure basic auth or a reverse proxy on n8n Cloud.

### Can RapidDev help me secure my n8n deployment?

Yes. RapidDev can set up a production-hardened n8n deployment with HTTPS, user management, firewall rules, and monitoring. Contact RapidDev for a free security consultation.

---

Source: https://www.rapidevelopers.com/n8n-tutorial/how-to-secure-n8n-with-basic-auth
© RapidDev — https://www.rapidevelopers.com/n8n-tutorial/how-to-secure-n8n-with-basic-auth
