🔹 𝐈𝐧𝐬𝐭𝐚𝐥𝐥 & 𝐒𝐭𝐚𝐫𝐭
➤ 𝐃𝐨𝐜𝐤𝐞𝐫 (quick start)
docker run -it --rm \
--name n8n \
-p 5678:5678 \
-v ~/.n8n:/home/node/.n8n \
n8nio/n8n
➤ 𝐃𝐞𝐟𝐚𝐮𝐥𝐭 𝐔𝐈: http://localhost:5678
➤ 𝐏𝐞𝐫𝐬𝐢𝐬𝐭𝐞𝐧𝐭 𝐝𝐚𝐭𝐚: ~/.n8n (back this up)
🔹 𝐂𝐨𝐫𝐞 𝐂𝐨𝐧𝐜𝐞𝐩𝐭𝐬
• Nodes = building blocks (APIs, logic, files)
• Workflows = directed graphs of nodes
• Items = rows/records flowing through nodes (array of JSONs)
• Binary Data = files that travel with items
• Triggers = start workflows (e.g., Webhook, Cron)
• Executions = individual runs (view logs/data)
• Credentials = encrypted API keys & logins
• Error Workflows = catch-all for failures
🔹 𝐏𝐨𝐩𝐮𝐥𝐚𝐫 𝐓𝐫𝐢𝐠𝐠𝐞𝐫𝐬
➤ Webhook – start via HTTP request (great for inbound alerts)
➤ Cron / Interval – scheduled jobs (hourly/daily/weekly)
➤ IMAP Email – react to new emails
➤ Polling – check APIs on a cadence
➤ Event/WebSocket – react to external events (where supported)
🔹 𝐄𝐬𝐬𝐞𝐧𝐭𝐢𝐚𝐥 𝐍𝐨𝐝𝐞𝐬
• HTTP Request – call any REST API
• Set – add/rename fields; create constants
• If / Switch – conditional routing
• Merge – combine branches (by index, key, or append)
• SplitInBatches – process large lists safely
• Function / Code – custom JS transforms
• Wait – delays, windows, backoff
• Spreadsheet File – CSV/Excel parse/build
• Database – Postgres/MySQL/SQLite queries
• Execute Command – run CLI (air-gapped or local ops)
🔹 𝐄𝐱𝐩𝐫𝐞𝐬𝐬𝐢𝐨𝐧𝐬 & 𝐃𝐚𝐭𝐚 𝐌𝐚𝐩𝐩𝐢𝐧𝐠
• Current item field: {{$json.myField}}
• Other node’s output: {{$node["Node Name"].json.other}}
• Now/time: {{$now}}, {{$today}}, {{$fromNow(3600)}}
• String ops: {{ $json.name.toUpperCase() }}
• Arrays: {{ $items().map(i => i.json.id) }}
• Safe pathing: {{ $json["user.profile.email"] }}
• JMESPath helper (where available): {{ $jmespath($json, 'users[*].email') }}
🔹 𝐄𝐧𝐯 𝐕𝐚𝐫𝐬 (𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲, 𝐃𝐞𝐩𝐥𝐨𝐲𝐦𝐞𝐧𝐭)
Security
N8N_ENCRYPTION_KEY→ encrypt credentials (must set in prod)N8N_BASIC_AUTH_ACTIVE=true+N8N_BASIC_AUTH_USER/PASSWORD(optional)N8N_USER_MANAGEMENT_DISABLED=false(keep default; use built-in users)
Networking / URLs
N8N_HOST=example.comN8N_PORT=5678N8N_PROTOCOL=httpsN8N_EDITOR_BASE_URL=https://example.com/WEBHOOK_URL=https://example.com/(public URL for webhooks)
Executions / Logs
EXECUTIONS_MODE=regular(orqueue)EXECUTIONS_DATA_SAVE_ON_SUCCESS=falseEXECUTIONS_DATA_SAVE_ON_ERROR=trueN8N_LOG_LEVEL=info(trace|debug|info|warn|error)N8N_METRICS=true(Prometheus endpoint)
DB & Queue
DB_TYPE=postgresdb+DB_POSTGRESDB_*varsQUEUE_BULL_REDIS_HOST=redis+ port/auth vars (queue mode)
🔹 𝐒𝐜𝐚𝐥𝐢𝐧𝐠 & 𝐇𝐀
• Regular mode: single process handles UI+executions
• Queue mode:
– Main (UI/scheduler) + multiple workers (executions)
– Requires Redis; scale workers horizontally
• Postgres for production persistence
• Reverse proxy (Caddy/NGINX) + HTTPS + rate-limit on webhooks
• Backups: DB, ~/.n8n, mounted volumes, credentials
🔹 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐏𝐚𝐭𝐭𝐞𝐫𝐧𝐬
• Store secrets in Credentials, not Function nodes
• Use Webhook secrets / auth headers; verify signatures
• Restrict IPs at proxy/WAF; require TLS everywhere
• Principle of least privilege for API keys
• Turn on Error Workflow to notify SecOps on failure
• Prune execution data; log to SIEM (via HTTP/Slack/Syslog node)
🔹 𝐂𝐋𝐈 (𝐊𝐧𝐨𝐰-𝐁𝐲-𝐇𝐞𝐚𝐫𝐭)
n8n start
n8n import:workflow --input=myflow.json
n8n export:workflow --id=123 --output=myflow.json
n8n export:credentials --all --output=creds.json
n8n user-management:reset # reset owner/admin
🔹 𝐃𝐞𝐛𝐮𝐠 & 𝐓𝐞𝐬𝐭
• Pin data on nodes to test without re-running upstream
• Past Executions → inspect inputs/outputs/errors
• Add Notes to nodes (gotchas, API quirks)
• Use Wait for rate-limits / backoff
• Set Continue On Fail where non-critical
🔹 𝐂𝐨𝐦𝐦𝐨𝐧 𝐋𝐨𝐨𝐩𝐬 & 𝐏𝐚𝐠𝐢𝐧𝐚𝐭𝐢𝐨𝐧 (𝐏𝐚𝐭𝐭𝐞𝐫𝐧)
- HTTP Request (page=1) → 2) IF (has next?) → 3) Merge (append)
Use Set/Function to bumppageparam; Wait for backoff.
🔹 𝐔𝐬𝐞𝐟𝐮𝐥 𝐉𝐒 𝐒𝐧𝐢𝐩𝐩𝐞𝐭𝐬 (𝐅𝐮𝐧𝐜𝐭𝐢𝐨𝐧/𝐂𝐨𝐝𝐞)
Map fields
return items.map(i => ({ json: {
id: i.json.id,
email: i.json.user?.email ?? null,
ts: new Date().toISOString()
}}));
Deduplicate by key
const seen = new Set();
return items.filter(i => !seen.has(i.json.id) && seen.add(i.json.id));
Group into batches of N
const N = 100;
const out = [];
for (let i=0;i<items.length;i+=N) out.push({ json: { batch: items.slice(i,i+N).map(x=>x.json) }});
return out;
🔹 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐀𝐮𝐭𝐨𝐦𝐚𝐭𝐢𝐨𝐧 𝐑𝐞𝐜𝐢𝐩𝐞𝐬
Real-Time Alert → Enrich → Act
- 𝗪𝐞𝐛𝐡𝐨𝐨𝐤 (from IDS/EDR) → 2) HTTP Request (VirusTotal/OTX) →
- IF (malicious) → 4) Slack/Email + HTTP Request (EDR isolate)
Vuln Scan → Ticketing
- 𝗖𝐫𝐨𝐧 → 2) HTTP Request (scanner API) → 3) SplitInBatches →
- If (severity ≥ high) → 5) HTTP (Jira/GitHub Issues)
Phishing Intake
- 𝗜𝐌𝐀𝐏 𝐓𝐫𝐢𝐠𝐠𝐞𝐫 (mailbox) → 2) Function (extract URLs) →
- HTTP (threat-intel lookups) → 4) Google Sheet/DB (log)
🔹 𝐁𝐞𝐬𝐭 𝐏𝐫𝐚𝐜𝐭𝐢𝐜𝐞𝐬 (𝐏𝐫𝐨𝐝)
✔ Set N8N_ENCRYPTION_KEY before creating credentials
✔ Use Postgres + Redis (queue mode) for scale
✔ Keep workflows atomic; call Sub-Workflows for reuse
✔ Version workflows (export to Git)
✔ Establish naming: team-domain:verb-object (e.g., sec-irt:enrich-indicator)
✔ Monitor with metrics/logs; alert on failures via Error Workflow
✔ Back up DB + credentials regularly; test restores
🔹 𝐀𝐝𝐯𝐚𝐧𝐜𝐞𝐝
• Reusable/Sub-Workflows via Execute Workflow node
• Webhook Auth (HMAC headers / shared secrets)
• Queues: main + N workers (EXECUTIONS_MODE=queue)
• Git Sync (export/import flows in CI)
• Files/Binary: Move Binary Data ↔ Spreadsheet File ↔ S3
• Data Warehousing: Postgres/MySQL nodes → ELT into warehouse
• Prompt/AI: call LLM APIs via HTTP; cache with DB; audit outputs
🔹 𝐐𝐮𝐢𝐜𝐤 𝐂𝐡𝐞𝐜𝐤𝐥𝐢𝐬𝐭 (𝐆𝐨-𝐋𝐢𝐯𝐞)
▣ HTTPS via proxy (Caddy/NGINX)
▣ N8N_ENCRYPTION_KEY set & stored securely
▣ Postgres + Redis configured; queue workers sized
▣ Basic Auth or SSO in front of editor (if needed)
▣ Error Workflow wired to on-call channel
▣ Backups scheduled; restore test passed
▣ Execution data retention tuned (save on error only)
