So this is the dangerous part. Nobody in this forum will give you exact advise on how to do this because it could put us in a difficult position should you later get hacked. So any information here is given on the understanding that both responsibility and accountability for the safety and security of yourself and anyone else is yours and yours alone. Please bear in mind that in some countries, this could, in extreme cases, put criminal as well as civil liabilities on you.
So having said that, I've already outlined what you will need in order to make this happen with even a modicum of safety.
The easiest way is to set up your Pi with absolutely minimum software on it and keep any flows to a minimum too. Make sure that you create new user accounts, one for admin use and a separate one for running Node-RED, Caddy should also have its own. Then delete the pi account.
Use a second device if needed to house more sensitive things and keep that separated from the Pi that is connected to the internet.
The connected pi should have Caddy installed and configured for Let's encrypt to get security certificates - for this, you also need a registered domain name that points to the external IP address of your home connection. A domain will cost you a few dollars a year. The certificate is free. Caddy will take care of the renewals for you. Configure Caddy to act as a reverse proxy for both the HTTP and websockets connections that you will need for access to Node-RED. You can also use Caddy to provide user logins if you need that, if you don't, just remember that anyone on the Internet will be able to access your Dashboard. You MUST use HTTPS (which is what the certificate is for), block all HTTP, also block websockets (ws) and only allow secure websockets (wss). If using user logins, also configure something like fail2ban which will help detect people trying to brute force the logins and will auto-ban them.
Also don't forget to disallow any access to the Node-RED Editor. Move it to a different path. Also don't use the default port (1880), move it to something high (it must be over 1024).
Now go and read up more about securing Linux (Debian). Then read it all again, and probably at least one more time. Take the time to implement any recommendations.
Next, go register at Cloudflare and assign your registered domain to the Cloudflare name servers - better still, register you domain via Cloudflare, its as cheap as you can get it. Set up security in Cloudflare so that it is acting as a proxy for your connection. Now go to your router and allow a single inbound connection on port 443 (https) and route it to the pi's ip address and the port you set up in caddy. BUT only allow a connection from the Cloudflare servers. Cloudflare can also do user logins for you which is even easier to set up but I think you only get 5 logins on the free tier.
Now test to make sure you cannot connect to your endpoint directly (using your home's external ip address for example). Next test that you can access it via the domain name and check cloudflare to make sure things are routing through it.
Finally look up a bunch of web security test sites and test your connection to make sure it is reasonably secure. If you are getting a score of less than B, something is probably wrong. You should be aiming for A, A+ but that is actually very hard to do.
Ideally, you would also have configured logging and would monitor attempted connections to be sure that the only connections ever happen via cloudflare.
Now go make sure that you have a bunch of reminders set so that you are updating everything weekly. You can also add some software that will alert you if any of the settings in /etc
change which would indicate someone has broken in.
Seems like too much effort or too hard? Good. Don't even think about trying in that case.
If you get to here and you have a nicely configured and safe endpoint, welcome to the club of geeks who run their own servers. And finally, remember that, on the Internet, safety is an illusion brought on by lack of knowledge. Also today's security is tomorrows security hole.