N8N Cheatsheet

🔹 𝐈𝐧𝐬𝐭𝐚𝐥𝐥 & 𝐒𝐭𝐚𝐫𝐭

➤ 𝐃𝐨𝐜𝐤𝐞𝐫 (quick start)

docker run -it --rm \
  --name n8n \
  -p 5678:5678 \
  -v ~/.n8n:/home/node/.n8n \
  n8nio/n8n

➤ 𝐃𝐞𝐟𝐚𝐮𝐥𝐭 𝐔𝐈: http://localhost:5678
➤ 𝐏𝐞𝐫𝐬𝐢𝐬𝐭𝐞𝐧𝐭 𝐝𝐚𝐭𝐚: ~/.n8n (back this up)

🔹 𝐂𝐨𝐫𝐞 𝐂𝐨𝐧𝐜𝐞𝐩𝐭𝐬

• Nodes = building blocks (APIs, logic, files)
• Workflows = directed graphs of nodes
• Items = rows/records flowing through nodes (array of JSONs)
• Binary Data = files that travel with items
• Triggers = start workflows (e.g., Webhook, Cron)
• Executions = individual runs (view logs/data)
• Credentials = encrypted API keys & logins
• Error Workflows = catch-all for failures

🔹 𝐏𝐨𝐩𝐮𝐥𝐚𝐫 𝐓𝐫𝐢𝐠𝐠𝐞𝐫𝐬

➤ Webhook – start via HTTP request (great for inbound alerts)
➤ Cron / Interval – scheduled jobs (hourly/daily/weekly)
➤ IMAP Email – react to new emails
➤ Polling – check APIs on a cadence
➤ Event/WebSocket – react to external events (where supported)

🔹 𝐄𝐬𝐬𝐞𝐧𝐭𝐢𝐚𝐥 𝐍𝐨𝐝𝐞𝐬

• HTTP Request – call any REST API
• Set – add/rename fields; create constants
• If / Switch – conditional routing
• Merge – combine branches (by index, key, or append)
• SplitInBatches – process large lists safely
• Function / Code – custom JS transforms
• Wait – delays, windows, backoff
• Spreadsheet File – CSV/Excel parse/build
• Database – Postgres/MySQL/SQLite queries
• Execute Command – run CLI (air-gapped or local ops)

🔹 𝐄𝐱𝐩𝐫𝐞𝐬𝐬𝐢𝐨𝐧𝐬 & 𝐃𝐚𝐭𝐚 𝐌𝐚𝐩𝐩𝐢𝐧𝐠

• Current item field: {{$json.myField}}
• Other node’s output: {{$node["Node Name"].json.other}}
• Now/time: {{$now}}, {{$today}}, {{$fromNow(3600)}}
• String ops: {{ $json.name.toUpperCase() }}
• Arrays: {{ $items().map(i => i.json.id) }}
• Safe pathing: {{ $json["user.profile.email"] }}
• JMESPath helper (where available): {{ $jmespath($json, 'users[*].email') }}

🔹 𝐄𝐧𝐯 𝐕𝐚𝐫𝐬 (𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲, 𝐃𝐞𝐩𝐥𝐨𝐲𝐦𝐞𝐧𝐭)

Security

N8N_ENCRYPTION_KEY → encrypt credentials (must set in prod)
N8N_BASIC_AUTH_ACTIVE=true + N8N_BASIC_AUTH_USER/PASSWORD (optional)
N8N_USER_MANAGEMENT_DISABLED=false (keep default; use built-in users)

Networking / URLs

N8N_HOST=example.com
N8N_PORT=5678
N8N_PROTOCOL=https
N8N_EDITOR_BASE_URL=https://example.com/
WEBHOOK_URL=https://example.com/ (public URL for webhooks)

Executions / Logs

EXECUTIONS_MODE=regular (or queue)
EXECUTIONS_DATA_SAVE_ON_SUCCESS=false
EXECUTIONS_DATA_SAVE_ON_ERROR=true
N8N_LOG_LEVEL=info (trace|debug|info|warn|error)
N8N_METRICS=true (Prometheus endpoint)

DB & Queue

DB_TYPE=postgresdb + DB_POSTGRESDB_* vars
QUEUE_BULL_REDIS_HOST=redis + port/auth vars (queue mode)

🔹 𝐒𝐜𝐚𝐥𝐢𝐧𝐠 & 𝐇𝐀

• Regular mode: single process handles UI+executions
• Queue mode:
– Main (UI/scheduler) + multiple workers (executions)
– Requires Redis; scale workers horizontally
• Postgres for production persistence
• Reverse proxy (Caddy/NGINX) + HTTPS + rate-limit on webhooks
• Backups: DB, ~/.n8n, mounted volumes, credentials

🔹 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐏𝐚𝐭𝐭𝐞𝐫𝐧𝐬

• Store secrets in Credentials, not Function nodes
• Use Webhook secrets / auth headers; verify signatures
• Restrict IPs at proxy/WAF; require TLS everywhere
• Principle of least privilege for API keys
• Turn on Error Workflow to notify SecOps on failure
• Prune execution data; log to SIEM (via HTTP/Slack/Syslog node)

🔹 𝐂𝐋𝐈 (𝐊𝐧𝐨𝐰-𝐁𝐲-𝐇𝐞𝐚𝐫𝐭)

n8n start
n8n import:workflow --input=myflow.json
n8n export:workflow --id=123 --output=myflow.json
n8n export:credentials --all --output=creds.json
n8n user-management:reset   # reset owner/admin

🔹 𝐃𝐞𝐛𝐮𝐠 & 𝐓𝐞𝐬𝐭

• Pin data on nodes to test without re-running upstream
• Past Executions → inspect inputs/outputs/errors
• Add Notes to nodes (gotchas, API quirks)
• Use Wait for rate-limits / backoff
• Set Continue On Fail where non-critical

🔹 𝐂𝐨𝐦𝐦𝐨𝐧 𝐋𝐨𝐨𝐩𝐬 & 𝐏𝐚𝐠𝐢𝐧𝐚𝐭𝐢𝐨𝐧 (𝐏𝐚𝐭𝐭𝐞𝐫𝐧)

HTTP Request (page=1) → 2) IF (has next?) → 3) Merge (append)
Use Set/Function to bump page param; Wait for backoff.

🔹 𝐔𝐬𝐞𝐟𝐮𝐥 𝐉𝐒 𝐒𝐧𝐢𝐩𝐩𝐞𝐭𝐬 (𝐅𝐮𝐧𝐜𝐭𝐢𝐨𝐧/𝐂𝐨𝐝𝐞)

Map fields

return items.map(i => ({ json: {
  id: i.json.id,
  email: i.json.user?.email ?? null,
  ts: new Date().toISOString()
}}));

Deduplicate by key

const seen = new Set();
return items.filter(i => !seen.has(i.json.id) && seen.add(i.json.id));

Group into batches of N

const N = 100;
const out = [];
for (let i=0;i<items.length;i+=N) out.push({ json: { batch: items.slice(i,i+N).map(x=>x.json) }});
return out;

🔹 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐀𝐮𝐭𝐨𝐦𝐚𝐭𝐢𝐨𝐧 𝐑𝐞𝐜𝐢𝐩𝐞𝐬

Real-Time Alert → Enrich → Act

𝗪𝐞𝐛𝐡𝐨𝐨𝐤 (from IDS/EDR) → 2) HTTP Request (VirusTotal/OTX) →
IF (malicious) → 4) Slack/Email + HTTP Request (EDR isolate)

Vuln Scan → Ticketing

𝗖𝐫𝐨𝐧 → 2) HTTP Request (scanner API) → 3) SplitInBatches →
If (severity ≥ high) → 5) HTTP (Jira/GitHub Issues)

Phishing Intake

𝗜𝐌𝐀𝐏 𝐓𝐫𝐢𝐠𝐠𝐞𝐫 (mailbox) → 2) Function (extract URLs) →
HTTP (threat-intel lookups) → 4) Google Sheet/DB (log)

🔹 𝐁𝐞𝐬𝐭 𝐏𝐫𝐚𝐜𝐭𝐢𝐜𝐞𝐬 (𝐏𝐫𝐨𝐝)

✔ Set N8N_ENCRYPTION_KEY before creating credentials
✔ Use Postgres + Redis (queue mode) for scale
✔ Keep workflows atomic; call Sub-Workflows for reuse
✔ Version workflows (export to Git)
✔ Establish naming: team-domain:verb-object (e.g., sec-irt:enrich-indicator)
✔ Monitor with metrics/logs; alert on failures via Error Workflow
✔ Back up DB + credentials regularly; test restores

🔹 𝐀𝐝𝐯𝐚𝐧𝐜𝐞𝐝

• Reusable/Sub-Workflows via Execute Workflow node
• Webhook Auth (HMAC headers / shared secrets)
• Queues: main + N workers (EXECUTIONS_MODE=queue)
• Git Sync (export/import flows in CI)
• Files/Binary: Move Binary Data ↔ Spreadsheet File ↔ S3
• Data Warehousing: Postgres/MySQL nodes → ELT into warehouse
• Prompt/AI: call LLM APIs via HTTP; cache with DB; audit outputs

🔹 𝐐𝐮𝐢𝐜𝐤 𝐂𝐡𝐞𝐜𝐤𝐥𝐢𝐬𝐭 (𝐆𝐨-𝐋𝐢𝐯𝐞)

▣ HTTPS via proxy (Caddy/NGINX)
▣ N8N_ENCRYPTION_KEY set & stored securely
▣ Postgres + Redis configured; queue workers sized
▣ Basic Auth or SSO in front of editor (if needed)
▣ Error Workflow wired to on-call channel
▣ Backups scheduled; restore test passed
▣ Execution data retention tuned (save on error only)