If you discover a security vulnerability in this project, please report it responsibly by emailing the maintainers directly. Do not create public issues for security vulnerabilities.

Issue #48: Previously, the API server was vulnerable to path traversal attacks on Windows systems.

Fix Applied:

• Added comprehensive filename validation with validate_filename() function
• Blocks all path traversal patterns including:
  • Parent directory references (.., ../, ..\\)
  • URL-encoded traversal attempts (..%5c, ..%2f)
  • Absolute paths and drive letters
  • Shell special characters and wildcards
• Uses Path.resolve() and relative_to() for defense in depth
• Applied to all file-access endpoints:
  • /api/workflows/{filename}
  • /api/workflows/{filename}/download
  • /api/workflows/{filename}/diagram

Previously: CORS was configured with allow_origins=["*"], allowing any website to access the API.

Fix Applied:

• Restricted CORS origins to specific allowed domains:
  • Local development ports (3000, 8000, 8080)
  • GitHub Pages (https://zie619.github.io)
  • Community deployment (https://n8n-workflows-1-xxgm.onrender.com)
• Restricted allowed methods to only GET and POST
• Restricted allowed headers to Content-Type and Authorization

Previously: The /api/reindex endpoint could be called by anyone, potentially causing DoS.

Fix Applied:

• Added authentication requirement via admin_token query parameter
• Token must match ADMIN_TOKEN environment variable
• If no token is configured, the endpoint is disabled
• Added rate limiting to prevent abuse
• Logs all reindex attempts with client IP

New Security Feature:

• Implemented rate limiting (60 requests per minute per IP)
• Applied to all sensitive endpoints
• Prevents brute force and DoS attacks
• Returns HTTP 429 when limit exceeded

# Required for reindex endpoint
export ADMIN_TOKEN="your-secure-random-token"

# Optional: Configure rate limiting (default: 60)
# MAX_REQUESTS_PER_MINUTE=60

To add additional allowed origins, modify the ALLOWED_ORIGINS list in api_server.py:

ALLOWED_ORIGINS = [
    "http://localhost:3000",
    "http://localhost:8000",
    "https://your-domain.com",  # Add your production domain
]

1. Environment Variables: Never commit sensitive tokens or credentials to the repository
2. HTTPS Only: Always use HTTPS in production (HTTP is only for local development)
3. Regular Updates: Keep all dependencies updated to patch known vulnerabilities
4. Monitoring: Monitor logs for suspicious activity patterns
5. Backup: Regular backups of the workflows database

• Set strong ADMIN_TOKEN environment variable
• Configure CORS origins for your specific domain
• Use HTTPS with valid SSL certificate
• Enable firewall rules to restrict access
• Set up monitoring and alerting
• Review and rotate admin tokens regularly
• Keep Python and all dependencies updated
• Use a reverse proxy (nginx/Apache) with additional security headers

When deploying behind a reverse proxy, add these headers:

add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self'";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

Security issues reported by:

• Path Traversal: Community contributor via Issue #48

For security concerns, please contact the maintainers privately.