Very good to work with Node-RED, I am happy to enter this IOT world, I am not sure if this has already been discussed here, forgive me!
I created a simple application in Node-RED, but just as everything in node-red is simple, it is also simple for the competitor to copy all of our code when he has access to the server or the node-red IDE, there is some safe way to deploy the application (API-Rest) on the client server?
Only if you can prevent your users from accessing the server and then also prevent access to the Node-RED Editor.
The 2nd part is easy and you can either completely turn off the Editor or add authorisation to it. Both are covered in the docs.
Whether you can do the first part will depend on how you deploy and what contract you have with your customers. Obviously if you don't allow your customers access to the server, it means that you or your organisation have to be around (at least remotely) to deal with things if they go wrong. You will most likely also need to be able to replace the server in a hurry if it breaks.