Permissive CORS in n8n
- Feb 12
- 1 min read
What this means (non-technical)
CORS controls which websites are allowed to make requests to your n8n instance from a browser. If CORS is set to allow all origins (often shown as *), any website can send requests to your webhooks and read the responses in a browser context.
This removes an important boundary between your workflows and the public web.
What usually goes wrong
If any website can access your endpoints:
Malicious sites can trigger your workflows from a user’s browser.
Sensitive response data may be readable across domains.
Authenticated users could unknowingly trigger actions just by visiting a page.
Because everything looks like a normal web request, it can be hard to understand how the workflow was triggered.
Over time, this reduces your confidence in who can access your automation.
When this becomes urgent
This becomes urgent when:
Your webhooks return sensitive data.
Your instance is publicly accessible.
Users log into n8n from a browser.
The workflows perform write operations or trigger external systems.
The more exposed your instance is to the public internet, the more important proper origin restrictions become.
Detect issues in your n8n workflows
|
Definitions
CORS (Cross-Origin Resource Sharing): A browser security feature that controls which websites can access resources on another domain.
Origin: The combination of protocol, domain, and port that identifies a website.
Disclaimer
This article highlights common patterns and risks seen in real-world n8n workflows. It’s meant to help you build more confidently and avoid surprises as your automation grows. Behavior can vary depending on your setup, version, and configuration.