If you use n8n for automations involving large language models (LLM), you probably know not only about their huge capabilities but also about the risks. LLMs remain a “black box”: they can accidentally disclose personal data, generate toxic content, or fall victim to prompt injection.

Until recently, you had to “wrap” an AI workflow with many IF nodes and complex Regex checks. It was cumbersome and unreliable.

Since version 1.119.0 n8n includes the Guardrails node — and it’s truly a game-changer. It’s your personal security layer that you can place at the input and output of any AI process.

🧠 What is Guardrails?

The Guardrails node works as an intelligent text filter and validator. It’s most often used:

• On input (Input Guardrail) — before sending user text to the LLM.
• On output (Output Guardrail) — before returning the response to the user or passing it to another system.

Modes of operation:

• Check Text for Violations — check for violations.
• Sanitize Text — automatic cleaning/masking of data.

If the text fails the rules, the workflow branches — you can stop the process, send a fallback response, or log the issue.

🚀 Key features of Guardrails

🛡️ Detection of PII and secrets (Secrets & PII)

The node can find and mask:

• credit card numbers
• email addresses
• phone numbers
• API keys and secrets
• custom patterns via Regex

This prevents leakage of sensitive data — both in logs and in AI responses.
For GDPR-compliant projects — a must-have.

🚫 Content moderation (NSFW & Toxicity)

Guardrails analyzes text via an LLM to determine:

• toxicity
• profanity
• expressions of hate
• NSFW content

The confidence threshold is set manually (0.0–1.0).

This prevents situations where your assistant suddenly “rude” to a user.

🎯 Topical control (Topical Guardrails)

You can specify what the AI should talk about and what it should not.

This keeps the model within the task: for example, tech support should answer about the product, not discuss politics or write borscht recipes.

🔒 Protection against attacks (Prompt Injection and Malicious URLs)

Guardrails can:

• detect attempts at jailbreak/prompt injection
• block suspicious URLs
• allow only trusted domains
• forbid links with credentials

This makes public LLM endpoints much safer.

⚙️ Custom rules

You can add your own:

• Keywords — allow/block words
• Regex — any complex checks
• LLM-rules — one model checks the output of another

For example: “Is this answer correct?”, “Does it contain personal data?”, “Is this a respectful tone?”

🛠️ Example: a safe AI assistant

Scenario

A user sends the question:

Привет! Мой продукт не работает. Мой email: [user@example.com](mailto:user@example.com)

1. Guardrail (Input, Sanitize Text)

   • replaces the email → [EMAIL]
   • checks for prompt injection

2. LLM responds, but accidentally generates a rude remark.

3. Guardrail (Output, Check Violations)

   • finds a toxic fragment
   • workflow goes to the fallback branch

4. The user receives a safe response:
   “Our AI assistant is temporarily unavailable. We have forwarded your question to an operator.”

Without Guardrails there would have been a disaster: a toxic reply + an email leak in the logs.

🏁 Conclusion

Guardrails turns n8n into a platform that can be used safely in production.

It’s a security layer that:

• protects against leaks
• filters toxic content
• prevents prompt injection
• controls response topics
• ensures regulatory compliance (GDPR, PDPA, etc.)

If you use LLMs in automations — Guardrails should be on by default.
The next step is building your own rules and corporate policies on top of n8n’s base functionality.