In that case, my recommendation is that you set up a 2nd Pi - preferably in a DMZ (where both the inside and outside network edges are protected by their own firewall settings. Most decent routers should allow you to set this up).
Then use the outer Pi to run NGINX or Caddy with HTTPS termination. Your page will send the button press via the web server to Node-RED (which will have no direct input from the Internet). You can set that instance of Node-RED to run without the admin interface once you've set the flow up. The flow will use an http-in node to define a REST API endpoint. Make sure that your web server does not allow websockets in from the Internet.
On that outer Pi, set Node-RED to have MQTTS access to your broker that runs on the inner Pi (this step would not be viable on a truly secure system but should be OK for you).
Set up acme.sh on the Inner Pi to talk to Let's Encrypt and get the keys/certificates needed for HTTPS and MQTTS. Send the appropriate certificates and keys from the inner Pi to the outer (so that the outer Pi continues to have minimal access to the inner network).
So the outer firewall only needs to allow port 443 (https) inbound and only to the outer Pi. The inner firewall only allows through inbound mqtts and only from the outer Pi. The outer Pi is only running a web server and Node-RED with no admin interface.
You will likely want SSH on the outer Pi (certainly don't run a desktop) - move that to a non-standard port and only allow traffic on that port from your inner network.
This probably sounds quite complex but it isn't that bad really. It will certainly leave you with a reasonably secure setup that is unlikely to end up with your business crashing because of compromised hardware and software.
I shouldn't really need to say but will for clarity - this is not a professional recommendation. It is some friendly non-professional thoughts. If in doubt, hire a professional to protect your business.
And if you think you are too small to warrant any hacker attention - think again. Hacks mostly start with automated probes and equally automated insertions of services onto poorly protected systems. Indeed, most hacks will never see attention from a real person but will either add your system to a giant botnet and/or will insert malware to encrypt everything and/or, if you have customer data, steal that and sell it on the dark web.