ros/n8n-mcp
1
0
Fork 0
mirror of https://github.com/czlonkowski/n8n-mcp.git synced 2026-03-24 03:13:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: implement security audit fixes - rate limiting and SSRF protection (Issue #265 PR #2)

Browse Source 
This commit implements HIGH-02 (Rate Limiting) and HIGH-03 (SSRF Protection)
from the security audit, protecting against brute force attacks and
Server-Side Request Forgery.

Security Enhancements:
- Rate limiting: 20 attempts per 15 minutes per IP (configurable)
- SSRF protection: Three security modes (strict/moderate/permissive)
- DNS rebinding prevention
- Cloud metadata blocking in all modes

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
czlonkowski
2025-10-06 15:40:07 +02:00
parent 9a00a99011
commit 06cbb40213
15 changed files with 1041 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
docs/RAILWAY_DEPLOYMENT.md
View File

@@ -105,6 +105,9 @@ These are automatically set by the Railway template:
| `CORS_ORIGIN` | `*` | Allow any origin |
| `HOST` | `0.0.0.0` | Listen on all interfaces |
| `PORT` | (Railway provides) | Don't set manually |
| `AUTH_RATE_LIMIT_WINDOW` | `900000` (15 min) | Rate limit window (v2.16.3+) |
| `AUTH_RATE_LIMIT_MAX` | `20` | Max auth attempts (v2.16.3+) |
| `WEBHOOK_SECURITY_MODE` | `strict` | SSRF protection mode (v2.16.3+) |
### Optional Variables
@@ -284,6 +287,32 @@ Since the Railway template uses a specific Docker image tag, updates are manual:
You could use the `latest` tag, but this may cause unexpected breaking changes.
## 🔒 Security Features (v2.16.3+)
Railway deployments include enhanced security features:
### Rate Limiting
- **Automatic brute force protection** - 20 attempts per 15 minutes per IP
- **Configurable limits** via `AUTH_RATE_LIMIT_WINDOW` and `AUTH_RATE_LIMIT_MAX`
- **Standard rate limit headers** for client awareness
### SSRF Protection
- **Default strict mode** blocks localhost, private IPs, and cloud metadata
- **Cloud metadata always blocked** (169.254.169.254, metadata.google.internal, etc.)
- **Use `moderate` mode only if** connecting to local n8n instance
**Security Configuration:**
```bash
# In Railway Variables tab:
WEBHOOK_SECURITY_MODE=strict # Production (recommended)
# or
WEBHOOK_SECURITY_MODE=moderate # If using local n8n with port forwarding
# Rate limiting (defaults are good for most use cases)
AUTH_RATE_LIMIT_WINDOW=900000 # 15 minutes
AUTH_RATE_LIMIT_MAX=20 # 20 attempts per IP
```
## 📝 Best Practices
1. **Always change the default AUTH_TOKEN immediately**