For reference, the easiest way to add a measure of security is to use a web reverse proxy to do the endpoint security for you. NGINX, HAproxy, Apache Server, etc can all do this pretty readily and are almost certain to provide better assurance than using Node-RED alone. They will also tend to give you a good performance boost as well.
You can go even further and use something like Cloudflare to act as a front-end. It will filter out known attacks, provide worldwide caching of static assets, provide fairly strong TLS support, analytics and more. Just make sure that you configure your local router to only allow Cloudflare servers to talk to Node-RED.
You will also need to look at using certificates to enable local HTTPS. Even when using Cloudflare, you should encrypt the traffic to/from CF though going that route allows you to use a self-signed certificate that you can create for yourself. Though these days, getting and maintaining a certificate via Let's Encrypt is generally easy enough.
Make sure also that you have used long passkey's to prevent access to your admin ui.