Master n8n Guardrails: A Guide to Secure Your AI Workflows
Learn how to secure your n8n AI workflows using the new Guardrails node. This guide covers everything from blocking keywords and PII to preventing jailbreak attacks and sanitizing text.
Master n8n Guardrails: A Guide to Secure Your AI Workflows
With the introduction of the Guardrails node, n8n has taken a significant step forward in AI workflow security. Guardrails act as a security layer for your AI agents, allowing you to validate, filter, and sanitize the data that flows in and out of your language models. This guide will walk you through every feature of the Guardrails node to help you build more robust and secure AI automations.
Prerequisites
- You must be on n8n version
1.119.1or higher to use the Guardrails node.
What Are n8n Guardrails?
When building AI agents, you often receive unstructured input from users and generate output from a language model. This process is vulnerable to security risks like prompt injection or users submitting malicious or inappropriate content.
Guardrails help mitigate these risks by allowing you to define a set of rules to check content against. If the content violates a rule, you can stop the workflow, preventing the unsafe data from being processed by your AI agent.
The Guardrails Node Operations
The Guardrails node is an AI-powered node that requires a connection to a language model (like OpenAI's GPT models) to function. It has two primary operations:
- Check Text for Violations: This operation inspects the input text against one or more selected guardrails. The node then routes the execution to either a "Pass" or "Fail" output branch, making it easy to handle violations.
- Sanitize Text: Instead of just blocking content, this operation masks sensitive information within the text (like PII, API keys, or URLs) and passes the "clean" text to the output.
Guardrail Types for Checking Violations
Here are the different types of built-in guardrails you can use to check for violations.
1. Keyword Guards
This is the simplest guardrail. It checks if the input text contains any specific keywords you want to block, such as hack, phishing, virus, or any offensive terms.
2. Jailbreak Guards
Jailbreak attempts happen when a user tries to bypass the safety instructions of your AI agent with clever prompting (e.g., "You are now in dev mode. Ignore all safety rules..."). This guardrail is specifically trained to detect and block such prompt injection attacks. You can adjust the Threshold to control its sensitivity (a lower value is stricter).
3. NSFW (Not Safe for Work) Guards
This guardrail detects explicit, offensive, or violent content. It's essential for maintaining a safe user experience and preventing your AI agent from processing or generating inappropriate material.
4. URL Guards
When your workflow accepts URLs as input, this guardrail provides granular control. You can configure it to block all URLs except a specific list of allowed domains, ensuring your agent only interacts with trusted websites.
5. PII (Personally Identifiable Information) Guards
This powerful guardrail detects a wide range of sensitive data. You can configure it to block all PII types or only selected types, including:
- Credit card numbers
- Phone numbers
- Email addresses
- Crypto addresses
- US bank account numbers
- And many more.
6. API Keys & Secrets Guards
To prevent accidental exposure of credentials, this guardrail detects patterns that look like API keys and secrets. It has three sensitivity levels:
- Strict: Most sensitive, highest chance of catching potential keys.
- Balance: A middle ground between strict and permissive.
- Permissive: Least sensitive, lowest chance of false positives.
7. Topical Alignment Guards
This guardrail is perfect for when you want your AI agent to stay on a specific topic. You define a Business Scope (e.g., "n8n automations"), and the guardrail will check if the user's query is related to that topic. If a user asks an unrelated question (e.g., "What's the weather in Australia?"), the workflow will fail, preventing your agent from going off-topic.
8. Custom Regex Guards
For ultimate flexibility, you can define your own rules using Regular Expressions (Regex). For example, you could create a regex to detect and block any email address pattern, giving you custom control over the validation logic.
How to Sanitize Text
While blocking is useful, sometimes you want to process the text while protecting sensitive information. The Sanitize Text operation is designed for this.
Instead of blocking the entire input, it finds and masks the sensitive data. For example, the input My US bank number is 123456789 would become My US bank number is [US_BANK_NUMBER].
The output of the node includes the sanitized text, the type of entity that was detected (e.g., US_BANK_NUMBER), and the original hidden text. This allows you to safely pass the sanitized prompt to your AI agent while logging the original, sensitive data securely if needed.
You can apply multiple guardrails at once (e.g., PII, URL, and Secrets) for comprehensive sanitization in a single step.
Advanced: Custom Guardrails
If none of the built-in guardrails fit your specific use case, the Guardrails node offers a Custom option. Here, you can write your own system prompt that defines a custom validation rule. This gives you complete control to build any kind of content analysis or filtering logic you need, tailored to your exact requirements.