SECURITY.md

Security Policy

Reporting a Vulnerability

If you discover a security vulnerability, please report it responsibly:

1. Do NOT open a public issue
2. Email the maintainer or open a private security advisory on GitHub
3. Include steps to reproduce if possible

We'll respond within 48 hours and work on a fix.

Security Best Practices

When deploying Hugging8n:

• Enable basic auth — set N8N_BASIC_AUTH_USER and N8N_BASIC_AUTH_PASSWORD to protect your n8n instance from unauthorized access
• Create a strong n8n owner password during first-run setup
• Set your Space to Private — prevents unauthorized access to your n8n instance from the web
• Keep your HF token scoped — use fine-grained tokens with minimum permissions (read/write to your backup dataset only)
• Set a strong N8N_ENCRYPTION_KEY — protects your stored credentials; if lost, credentials cannot be recovered
• Optionally set CLOUDFLARE_PROXY_SECRET in both Space and Worker — recommended to prevent Worker URL abuse as an open proxy
• Keep secure cookies enabled on HTTPS — default is secure in this project; only disable for local non-HTTPS testing
• Don't commit .env files — the .gitignore already excludes them
• Review n8n credentials — periodically audit credentials stored in n8n

Supported Versions

Version	Supported
1.0.x	✅