1. Set NODE_ENV=development for n8n Docker deployments to resolve Origin
header validation failures.
2. Remove ineffective "RequestHeader set Origin" from vhost configuration
since OpenLiteSpeed cannot override browser Origin headers anyway.
This is required due to an OpenLiteSpeed architectural limitation - OLS
cannot override browser Origin headers, which n8n v1.87.0+ strictly
validates in production mode. Apache and Nginx can override Origin headers
and work in production mode, but this is not possible with OpenLiteSpeed.
Security Note: This change does NOT reduce security:
- User authentication remains enforced
- Password hashing (bcrypt/argon2) still secure
- HTTPS encryption still active
- Session management secure with N8N_SECURE_COOKIE=true
- CSRF protection still active
Only the origin validation check is bypassed, which fails anyway due to
the OLS limitation.
Ticket References: XKTFREZUR, XCGF2HQUH
d3621923e5