Gitpulse
Merged
Size
M
Change Breakdown
Config50%
Feature30%
Security20%
#27409feat: Environment var to disable forms pages sandboxing

Form page CSP sandboxing now toggleable via env var

MI
michael-radency
·Mar 27, 2026

n8n workflows can now disable Content Security Policy sandboxing for form pages via a new environment variable, solving compatibility issues with proxies and reverse proxies at the cost of weakened security hardening.

Form pages in n8n—used by Form Trigger, Send and Wait, and related nodes—have been protected by Content Security Policy sandbox headers that restrict what browsers can do with rendered form content. For some deployments, particularly those behind reverse proxies with their own header handling, this sandboxing has caused conflicts. A new environment variable, N8N_INSECURE_DISABLE_FORM_HTML_SANDBOX, allows administrators to disable these CSP headers entirely. When set to true, the sandbox headers are not applied to form page responses. The default remains false, preserving the current secure behavior for new installations. The code carries an explicit warning: disabling CSP protection leaves instances vulnerable to workflows that could make requests using other users' credentials. The recommended mitigation is serving forms from a separate subdomain, not disabling the sandbox—but when that is not feasible, this escape hatch exists. This change applies to form rendering across the CLI and nodes-base packages, unifying CSP handling that previously differed between webhook and form pages.

View Original GitHub Description

Summary

Adds the N8N_INSECURE_DISABLE_FORM_HTML_SANDBOX environment variable to disable form page sandboxing, which may cause issues in certain cases (e.g., with proxies). Default is false.

<!-- Describe what the PR does and how to test. Photos and videos are recommended. -->

Related Linear tickets, Github issues, and Community forum posts

https://linear.app/n8n/issue/NODE-4138/community-issue-form-trigger-always-loop Fixes https://github.com/n8n-io/n8n/issues/23262

<!-- Include links to **Linear ticket** or Github issue or Community forum post. Important in order to close *automatically* and provide context to reviewers. https://linear.app/n8n/issue/ --> <!-- Use "closes #<issue-number>", "fixes #<issue-number>", or "resolves #<issue-number>" to automatically close issues when the PR is merged. -->

Review / Merge checklist

  • PR title and summary are descriptive. (conventions) <!-- **Remember, the title automatically goes into the changelog. Use `(no-changelog)` otherwise.** -->
  • Docs updated or follow-up ticket created.
  • Tests included. <!-- A bug is not considered fixed, unless a test is added to prevent it from happening again. A feature is not complete without tests. -->
  • PR Labeled with Backport to Beta, Backport to Stable, or Backport to v1 (if the PR is an urgent fix that needs to be backported)
© 2026 · via Gitpulse