Rate limiting added to task runner endpoints
Task runner server endpoints now enforce rate limits, restricting clients to 5 requests per second to prevent abuse—aligning with broader platform security hardening efforts.
The task runner server's upgrade and authentication endpoints are now protected by rate limiting. These endpoints, which handle WebSocket upgrades and grant token creation respectively, now restrict clients to 5 requests within a one-second window. Requests exceeding this threshold receive a "Too many requests" response. While these endpoints typically run on local networks where exposure is limited, adding rate limits follows security best practices and protects against potential abuse, misconfiguration, or unintended hammering from clients. This work is part of a broader initiative to standardize rate limiting across n8n's API surface.
View Original GitHub Description
Summary
These endpoints are usually running in local network, so they are not very risky. It is however best practice to rate limit endpoints like these.
Related Linear tickets, Github issues, and Community forum posts
https://linear.app/n8n/issue/CAT-482/add-rate-limiting-for-task-runner-endpoints
Review / Merge checklist
- PR title and summary are descriptive. (conventions) <!-- **Remember, the title automatically goes into the changelog. Use `(no-changelog)` otherwise.** -->
- Docs updated or follow-up ticket created.
- Tests included. <!-- A bug is not considered fixed, unless a test is added to prevent it from happening again. A feature is not complete without tests. -->
- PR Labeled with
release/backport(if the PR is an urgent fix that needs to be backported)