I’m running a Node-RED dashboard and want to improve security by disabling the Node-RED editor after the dashboard is up and running. My goal is to prevent anyone from accessing the editor and modifying the flows, especially if they know the IP address.
I have a couple of requirements:
Secure the dashboard: The dashboard should remain accessible while the editor is disabled.
Prevent flow modifications: Once the editor is disabled, no one should be able to access it or deploy changes via the editor interface.
I tried setting enabled: false under the editorTheme section in the settings.js file, but the editor is still accessible after a restart.
Can anyone provide guidance on how to fully disable the Node-RED editor while keeping the dashboard functional? Are there alternative methods like firewalls, reverse proxies, or API calls that can be used to achieve this?
This will allow you to lock the editor, with a username / password.
If access is happening within the same Network - this should be "good enough", but if being accessed by WAN - then yes, Reverse Proxies, tunnelling is the way.
the root url for the editor UI. If set to false , all admin endpoints are disabled. This includes both API endpoints and the editor UI. To disable just the editor UI, see the disableEditor property below. Default: /
As mentioned above, this is not doing what you think (you have the wrong thing!)
Also, check you are modifing the right file. What does your node-red log say at start up (it tells you the settings file it is using)
I just wanted to take a moment to express my gratitude for the support and guidance provided regarding the disableEditor and httpAdminRoot flags in Node-RED. Your insights were incredibly helpful in clarifying how to manage access to the editor UI and admin API.
Thanks to your explanations, I was able to resolve the issue I was facing. I truly appreciate the time and effort you put into answering my questions.
I would like to add that, in my opinion, by far the best way to secure the Editor separate to any user-facing endpoints (including Dashboard), would be to use an external proxy to ensure that access to the Editor can only ever happen from an appropriate client with appropriate security.
There are many proxy services that can help with this. A relatively easy approach if you are accessing things over the Internet would be to use Cloudflare Zero Trust where you simply only route the Dashboard to the Internet via the cloud proxy and leave the Editor to only be accessible from your local network.
This is only 1 example configuration.
Doing security outside of Node-RED is almost always going to be more effective and secure.
Thank you for your input. Yes, we will be using HAProxy with security policies and URL routing to safeguard editor access. We truly appreciate your quick response and support.
We’ve begun exploring Node-Red and are highly impressed with its architecture and design, which significantly streamlines our application development.
You may also want to consider FlowFuse, it's built by the same team as Node-RED, and includes a lot of the security layers you're after, by default. It has a free, self-hosted option, but also comes with paid tiers for additional features should they be required.
Thank you @joepavitt ! We will certainly explore the FlowFuse cloud offering. We’ve just begun learning Node-Red’s capabilities to develop an enterprise application.
post
, I knew it should have disabled the thing, but yeah, change the right thing 
)