Security & Isolation
Security Architecture
Section titled “Security Architecture”Security is not an afterthought in Kizuna; it is the foundation. Given the sensitivity of automation workflows (which often contain API keys), we implement defense-in-depth strategies.
Encryption at Rest
Section titled “Encryption at Rest”All sensitive credentials stored in the database are encrypted using AES-256-GCM.
- n8n API Keys
- GitHub Personal Access Tokens
The encryption key is defined by N8N_ENCRYPTION_KEY in your environment variables. Without this key, the data in the database is unreadable.
Kizuna allows for a multi-user environment where each user operates within their own isolated workspace.
Workspace Isolation
Section titled “Workspace Isolation”Each user has full ownership and control over the servers, workflows, and credentials they add. Data is isolated by user ID at the database level using Row Level Security (RLS). One user cannot see or modify another user’s servers.
System Roles
Section titled “System Roles”| Role | Own Resources | System Plugins |
|---|---|---|
| Admin | Full Access | Manage (Enable/Disable) |
| User | Full Access | View Only |
- User: Can manage their own servers, workflows, and favorites. Cannot modify system-wide settings like Plugins.
- Admin: Has all the rights of a User, plus the ability to enable/disable global plugins for the installation.
SSRF Protection
Section titled “SSRF Protection”Server-Side Request Forgery (SSRF) is a common vulnerability in tools that make HTTP requests to user-defined URLs. Kizuna includes a custom SSRF validator that:
- Resolves the DNS of the provided n8n URL.
- Checks if the IP belongs to a private range (unless explicitly allowed for local dev).
- Blocks requests to internal metadata services (e.g., AWS EC2 metadata).
Security Audit
Section titled “Security Audit”The codebase has undergone a comprehensive internal security review, achieving a score of 9.2/10.