Security & Self-Hosting Practices - nLink - Comprehensive Digital Connectivity

1. Network Isolation & Proxies

Because nLink acts as a bridge between multiple internal and external APIs, securing its network environment is critical.

Reverse Proxy: Never expose nLink directly to the public internet port. Always use a robust reverse proxy like NGINX, Caddy, or Traefik.
SSL/TLS Encryption: Configure your reverse proxy to enforce HTTPS using valid SSL certificates (e.g., via Let's Encrypt) to protect payload data in transit.
VPN & VPC: If your workflows only interact with internal microservices, consider placing the nLink instance inside a private subnet or requiring VPN access for the web UI.

nLink requires access to sensitive credentials (API keys, database passwords, OAuth tokens) to automate your applications.

Environment Variables: Store root runtime secrets (like the master database password) strictly within the .env file. Ensure the file has restricted ownership permissions (e.g., chmod 600).
Node Credentials: When adding credentials to specific nodes via the UI, they are encrypted at rest in your database. Ensure your database itself is secured behind a firewall.

The nLink ecosystem supports importing custom Community Nodes built by third-party developers.

Review Before Importing: Since nodes execute on your physical infrastructure, always review the Go and Vue source code of a Community Node before deploying it to production.
Execution Context: Community nodes run within the main engine's context. Avoid importing untrusted nodes that make unchecked OS-level calls or unregulated HTTP outbound requests.

As a self-hosted platform, you hold complete ownership of your workflow data. We strongly recommend configuring automated backups:

Database Snapshots: Frequently back up your primary database (MySQL, PostgreSQL, or SQLite) using standard DB dumping tools. This database contains all your workflows, execution histories, and encrypted credentials.
Configuration Files: Keep a secure backup of your .env file. Without the original cryptographic seeds from this file, encrypted data in your database cannot be recovered.

We continuously release patches, performance improvements, and security updates for the core engine.

Regularly check for official releases on our channels.
When updating, always back up your database before pulling the latest Docker image or binary to ensure a safe rollback path if necessary.

nLink's Go engine is hardened against Denial-of-Service (DoS) and Out-Of-Memory (OOM) attacks natively at the socket layer:

Workflow Payload Limits: MaxBytesReader strictly limits incoming JSON workflow imports to 10MB, preventing memory crashes from massive junk files.
Webhook Safety: External webhook triggers and payload data are capped at 5MB.
Community Store Protection: Zip node uploads are securely constrained to 50MB, complete with defense mechanisms against Zip Slip and Tar Bomb path traversal attacks.

For organizations deploying nLink at scale, we provide robust SAML 2.0 Single Sign-On (SSO) integration designed with enterprise-grade security:

Zero-Trust Provisioning: New users authenticating via SSO are automatically provisioned (JIT) but default to a strictly restricted VIEWER role. They cannot execute workflows or view sensitive configurations until an Admin explicitly grants access.
Cryptographic Verification: nLink enforces strict XML Digital Signature (XMLDSIG) validation using your Identity Provider's X.509 Certificate to prevent tampering.
Replay Attack Prevention: Built-in In-Memory and Redis caching ensures that captured SAML assertions cannot be reused maliciously.