How secure is opening up a public endpoint

We want to be able to open up a public endpoint (HTTP In Node) to be a webhook to receive post data from Zapier, but I want to make sure it is secure.

You can get a list of the Zapier server IP list but this is constantly changing and right now I don't have time to develop a custom solution to update the IP list and lockdown to Zapier's IPs.

So I would like to know how secure is NodeRed if I were to open up the port 1880 to the internet?

As long as you have setup adminAuth to secure the editor (and don't allow anonymous access) and https in your settings file, then it's no different to any web server application.

You still have to be mindful as to what http routes you expose and what, if any, security you need to apply to them.

I'm sure others will share their thoughts as to putting it behind some sort of reverse proxy like nginx for even more peace of mind.

1 Like

You might also want to look at sending some kind of credentials with the webhook from zapier (that you can then periodically change) Just in case someone discovers your endpoint and sends it data.
Although this will depend a bit on your use case.
BTW I've built a Zapier node and coresponding package, this implements the token functionality as above but its no more or less secure than creating your own webhook really node-red-contrib-zapier (node) - Node-RED

1 Like

Thanks, gentlemen! Very helpful.

@knolleary @sammachin

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.