| # Security Policy | |
| ## Reporting a Vulnerability | |
| If you discover a security vulnerability, please report it responsibly: | |
| 1. **Do NOT open a public issue** | |
| 2. Email the maintainer or open a private security advisory on GitHub | |
| 3. Include steps to reproduce if possible | |
| We'll respond within 48 hours and work on a fix. | |
| ## Security Best Practices | |
| When deploying Hugging8n: | |
| - **Enable basic auth** β set `N8N_BASIC_AUTH_USER` and `N8N_BASIC_AUTH_PASSWORD` to protect your n8n instance from unauthorized access | |
| - **Create a strong n8n owner password** during first-run setup | |
| - **Set your Space to Private** β prevents unauthorized access to your n8n instance from the web | |
| - **Keep your HF token scoped** β use fine-grained tokens with minimum permissions (read/write to your backup dataset only) | |
| - **Set a strong `N8N_ENCRYPTION_KEY`** β protects your stored credentials; if lost, credentials cannot be recovered | |
| - **Optionally set `CLOUDFLARE_PROXY_SECRET` in both Space and Worker** β recommended to prevent Worker URL abuse as an open proxy | |
| - **Keep secure cookies enabled on HTTPS** β default is secure in this project; only disable for local non-HTTPS testing | |
| - **Don't commit `.env` files** β the `.gitignore` already excludes them | |
| - **Review n8n credentials** β periodically audit credentials stored in n8n | |
| ## Supported Versions | |
| | Version | Supported | | |
| |---------|-----------| | |
| | 1.0.x | β | | |