Gitpulse
Merged
Size
M
Change Breakdown
Config40%
Feature35%
Security25%
#28158feat: Environment var to disable forms pages sandboxing (backport to 1.x)

Form page CSP sandboxing now configurable via env var

N8
n8n-assistant
·Apr 8, 2026

n8n deployments can now disable Content Security Policy sandboxing for form pages via an environment variable, providing relief for configurations where the protection conflicts with proxies or other infrastructure.

Form trigger workflows and Send-and-Wait steps in n8n apply Content Security Policy sandbox headers to their HTML pages. In some environments — particularly those with certain proxy configurations — this protection causes infinite loops or prevents forms from loading correctly. A new environment variable provides an escape hatch for these edge cases.

Setting N8N_INSECURE_DISABLE_FORM_HTML_SANDBOX=true disables the CSP sandbox headers for Form Trigger, form completion pages, and Send-and-Wait workflows. The change applies across the form-related code paths in the CLI and nodes-base packages.

The feature carries a warning in the configuration: disabling CSP protection exposes instances to attacks where malicious workflows can make requests using other users' credentials. The documentation recommends configuring forms to be served from a different subdomain as the correct mitigation. This environment variable is intended as a last resort for infrastructure that cannot be restructured.

The refactoring also consolidates CSP-related utilities by renaming from its webhook-specific naming, reflecting that the same sandbox directive applies to both webhook and form pages.

View Original GitHub Description

Description

Backport of #27409 to 1.x.

Checklist for the author (@michael-radency) to go through.

  • Review the backport changes
  • Fix possible conflicts
  • Merge to target branch

After this PR has been merged, it will be picked up in the next patch release for release track.

Original description

Summary

Adds the N8N_INSECURE_DISABLE_FORM_HTML_SANDBOX environment variable to disable form page sandboxing, which may cause issues in certain cases (e.g., with proxies). Default is false.

<!-- Describe what the PR does and how to test. Photos and videos are recommended. -->

Related Linear tickets, Github issues, and Community forum posts

https://linear.app/n8n/issue/NODE-4138/community-issue-form-trigger-always-loop Fixes https://github.com/n8n-io/n8n/issues/23262

<!-- Include links to **Linear ticket** or Github issue or Community forum post. Important in order to close *automatically* and provide context to reviewers. https://linear.app/n8n/issue/ --> <!-- Use "closes #<issue-number>", "fixes #<issue-number>", or "resolves #<issue-number>" to automatically close issues when the PR is merged. -->

Review / Merge checklist

  • PR title and summary are descriptive. (conventions) <!-- **Remember, the title automatically goes into the changelog. Use `(no-changelog)` otherwise.** -->
  • Docs updated or follow-up ticket created.
  • Tests included. <!-- A bug is not considered fixed, unless a test is added to prevent it from happening again. A feature is not complete without tests. -->
  • PR Labeled with Backport to Beta, Backport to Stable, or Backport to v1 (if the PR is an urgent fix that needs to be backported)
© 2026 · via Gitpulse