We want to be able to open up a public endpoint (HTTP In Node) to be a webhook to receive post data from Zapier, but I want to make sure it is secure.
You can get a list of the Zapier server IP list but this is constantly changing and right now I don't have time to develop a custom solution to update the IP list and lockdown to Zapier's IPs.
So I would like to know how secure is NodeRed if I were to open up the port 1880 to the internet?
As long as you have setup adminAuth to secure the editor (and don't allow anonymous access) and https in your settings file, then it's no different to any web server application.
You still have to be mindful as to what http routes you expose and what, if any, security you need to apply to them.
I'm sure others will share their thoughts as to putting it behind some sort of reverse proxy like nginx for even more peace of mind.
You might also want to look at sending some kind of credentials with the webhook from zapier (that you can then periodically change) Just in case someone discovers your endpoint and sends it data.
Although this will depend a bit on your use case.
BTW I've built a Zapier node and coresponding package, this implements the token functionality as above but its no more or less secure than creating your own webhook really node-red-contrib-zapier (node) - Node-RED
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
Copyright OpenJS Foundation and Node-RED contributors. All rights reserved. The OpenJS Foundation has registered trademarks and uses trademarks. For a list of trademarks of the OpenJS Foundation, please see our Trademark Policy and Trademark List. Trademarks and logos not indicated on the list of OpenJS Foundation trademarks are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
The OpenJS Foundation | Terms of Use | Privacy Policy | OpenJS Foundation Bylaws | Trademark Policy | Trademark List | Cookie Policy