Gitpulse
Merged
Size
M
Change Breakdown
Feature65%
Security25%
Config10%
#28321feat: Enable security policy settings via env vars

Security policy now configurable via environment variables

Security policy now configurable via environment variables
IR
ireneea
·Apr 13, 2026

n8n administrators can now pre-configure MFA enforcement, personal space publishing, and personal space sharing through environment variables — security policies apply automatically on instance startup rather than requiring manual UI configuration.

Instance administrators previously had to configure security policies manually through the UI or API after startup. For teams running n8n in containers or managing multiple deployments, this meant either repetitive manual work or custom tooling to apply consistent security settings across environments.

Security policy settings — MFA enforcement, personal space publishing, and personal space sharing — can now be controlled via environment variables. When N8N_SECURITY_POLICY_MANAGED_BY_ENV is set to true, these policies are applied automatically on every instance startup. The CLI loader retrieves the configuration values and updates the relevant services before the instance becomes operational.

When security settings are managed by environment variables, the API rejects any attempt to modify them through the UI or endpoints. The frontend displays a notice indicating that settings are controlled via environment variables and disables the relevant toggle controls. This prevents configuration drift between what the environment specifies and what users might set through the interface.

The implementation follows the same pattern already used for owner settings — a dedicated loader class applies configuration during the startup sequence, with a master toggle that serves as a gate for all related environment variables. In the CLI package, new environment variables were added to the configuration schema. The API controllers gained guards that prevent updates when the environment is managing settings, and the SecuritySettingsDto now exposes a managedByEnv flag so clients know the state. The frontend component uses this flag to present a read-only view when appropriate.

View Original GitHub DescriptionFact Check
Fact Check Notice: The PR description shows env var names with `N8N_SECURITY_POLICY_` prefix (e.g., `N8N_SECURITY_POLICY_MFA_ENFORCED`), but the actual code uses `N8N_MFA_ENFORCED_ENABLED`, `N8N_PERSONAL_SPACE_PUBLISHING_ENABLED`, `N8N_PERSONAL_SPACE_SHARING_ENABLED` — no `SECURITY_POLICY_` infix. This is a significant naming mismatch between description and implementation.

Summary

Add environment variable support for security policy settings using the instance settings loader pattern. This allows MFA enforcement, personal space publishing, and personal space sharing to be pre-configured via env vars and applied on instance startup.

New env vars:

  • N8N_SECURITY_POLICY_MANAGED_BY_ENV (boolean, default false) — master toggle; when false, all other security policy env vars are ignored
  • N8N_SECURITY_POLICY_MFA_ENFORCED (boolean, default false) — enforce MFA for all users
  • N8N_SECURITY_POLICY_PERSONAL_SPACE_PUBLISHING (boolean, default true) — allow personal space publishing
  • N8N_SECURITY_POLICY_PERSONAL_SPACE_SHARING (boolean, default true) — allow personal space sharing

How to test:

  1. Set N8N_SECURITY_POLICY_MANAGED_BY_ENV=true along with desired policy env vars
  2. Start the instance
  3. Verify security settings in UI match the env var values
  4. Restart and confirm settings are re-applied on every startup

Related Linear tickets, Github issues, and Community forum posts

https://linear.app/n8n/issue/LIGO-436

Review / Merge checklist

  • I have seen this code, I have run this code, and I take responsibility for this code.
  • PR title and summary are descriptive. (conventions)
  • Docs updated or follow-up ticket created.
  • Tests included.
  • PR Labeled with release/backport (if the PR is an urgent fix that needs to be backported)
© 2026 · via Gitpulse