I’m running a Node-RED dashboard and want to improve security by disabling the Node-RED editor after the dashboard is up and running. My goal is to prevent anyone from accessing the editor and modifying the flows, especially if they know the IP address.
I have a couple of requirements:
- Secure the dashboard: The dashboard should remain accessible while the editor is disabled.
- Prevent flow modifications: Once the editor is disabled, no one should be able to access it or deploy changes via the editor interface.
I tried setting enabled: false
under the editorTheme
section in the settings.js
file, but the editor is still accessible after a restart.
Can anyone provide guidance on how to fully disable the Node-RED editor while keeping the dashboard functional? Are there alternative methods like firewalls, reverse proxies, or API calls that can be used to achieve this?
Hi @Nandhini-Subramaniya
Who or what is accessing the Dashboard?
is this being accessed from within the same network?
If so, any reason you can't just use the built in editor login mechanism.
adminAuth: {
type: "credentials",
users: [
{
username: "admin",
password: "$2a$08$zZWtXTja0fB1pzD4sHCMyOCMYz2Z6dNbM6tl8sJogENOMcxWV9DN.",
permissions: "*"
},
{
username: "george",
password: "$2b$08$wuAqPiKJlVN27eF5qJp.RuQYuy6ZYONW7a/UWYxDTtwKFCdB8F19y",
permissions: "read"
}
]
}
This will allow you to lock the editor, with a username / password.
If access is happening within the same Network - this should be "good enough", but if being accessed by WAN - then yes, Reverse Proxies, tunnelling is the way.
@TotallyInformation is knowledgeable here, if you go down that route
I have never heard of that happening, do you have something reverting those changes during start up?
You can do this is several ways:
- via securing node-red
- via
disableEditor
flag in settings.js: Configuration : Node-RED
-
if set to true
, prevents the editor UI from being served by the runtime. The admin api endpoints remain active. Default: false
.
- via
httpAdminRoot
flag in settings.js: Configuration : Node-RED
-
the root url for the editor UI. If set to false
, all admin endpoints are disabled. This includes both API endpoints and the editor UI. To disable just the editor UI, see the disableEditor
property below. Default: /
As mentioned above, this is not doing what you think (you have the wrong thing!)
Also, check you are modifing the right file. What does your node-red log say at start up (it tells you the settings file it is using)
Wrong flag Marcus. See my post above
1 Like
Ah!
Thanks, hence the confusion , I knew it should have disabled the thing, but yeah, change the right thing
(And I use that often as well! )
I just wanted to take a moment to express my gratitude for the support and guidance provided regarding the disableEditor
and httpAdminRoot
flags in Node-RED. Your insights were incredibly helpful in clarifying how to manage access to the editor UI and admin API.
Thanks to your explanations, I was able to resolve the issue I was facing. I truly appreciate the time and effort you put into answering my questions.
1 Like
I would like to add that, in my opinion, by far the best way to secure the Editor separate to any user-facing endpoints (including Dashboard), would be to use an external proxy to ensure that access to the Editor can only ever happen from an appropriate client with appropriate security.
There are many proxy services that can help with this. A relatively easy approach if you are accessing things over the Internet would be to use Cloudflare Zero Trust where you simply only route the Dashboard to the Internet via the cloud proxy and leave the Editor to only be accessible from your local network.
This is only 1 example configuration.
Doing security outside of Node-RED is almost always going to be more effective and secure.
Thank you for your input. Yes, we will be using HAProxy with security policies and URL routing to safeguard editor access. We truly appreciate your quick response and support.
We’ve begun exploring Node-Red and are highly impressed with its architecture and design, which significantly streamlines our application development.
Thank you
1 Like
You may also want to consider FlowFuse, it's built by the same team as Node-RED, and includes a lot of the security layers you're after, by default. It has a free, self-hosted option, but also comes with paid tiers for additional features should they be required.
Note: I work for FlowFuse
Thank you @joepavitt ! We will certainly explore the FlowFuse cloud offering. We’ve just begun learning Node-Red’s capabilities to develop an enterprise application.