Guest “view-only dashboard” (limited pages) + hidden flows/editor — is this possible in Node-RED?

General
,
1

Hi all,

We run Node-RED (prod 4.1.5) in Docker on a Raspberry Pi for a dive-shop / compressor monitoring setup. Node-RED is not just a static dashboard for us: it reads multiple sensors (temperatures, compressor runtime/service counters, states), writes to databases, and also controls outputs (e.g. relays/actuators).

We want to provide external guests (interested visitors) a safe “status view”:

  • Guests:
    • Dashboard only (ideally only specific pages/tabs; everything else forbidden)
    • No access to flows/editor at all
    • View-only (no buttons, no changing values)
  • Admin:
    • Full access (editor, flows, dashboard, everything)

This feels like a very common real-world requirement (public/guest status display vs admin control), but we can’t find a clean built-in way in Node-RED Dashboard / Node-RED security settings, and Node-RED 5 doesn’t seem to change that either.

Questions:

  1. Is there a recommended best practice to achieve “guest view-only dashboard” + “admin full access” on a single Node-RED instance?
  2. Can guests be restricted to specific dashboard pages (not just readOnly globally)?
  3. If not, what’s the most maintainable approach people use in production?

Thanks for any pointers or patterns you recommend.

2

I've always been clear on my recommended approach to this common issue.

Use an external reverse proxy. NGINX, Caddy, HAProxy, etc can all provide this capability and there are various threads in the forum about configuring some of these for Node-RED use.

Basically, the proxy lets you do different security for different URL paths. So you could go further than your request. For example, you could restrict access to the Editor to only your LAN but allow logged in access to your Dashboard (or UIBUILDER resources :wink: ) using your preferred Identity and Access Management (IdM) tooling.

While Node-RED does have some built-in security features, that isn't its strength. When it comes to security, you really do want to use tooling that has stood the test of real-world, large-scale deployment. You also want a layered approach, not all eggs in one basket.

Remember that Dashboard (both 1 and 2) are SINGLE PAGE APP style web pages. This does not lend itself to real security between "pages" because the "pages" are not actually web pages at all. There is a single web page with multiple front-end routes.

You can hide data from different people if you have implemented web IdM. But you should carefully check the app to see if data can be leaked across routes.

If you need the extra security, you will need to use UIBUILDER which allows both multi- and single-page apps to be built and can even have multiple nodes to keep data and code completely separate.