How to 'whitelist' IP address's that can access Node RED

This is just "a way" to make it more secure, and it truly isn't "The Way".
But in answer to your question, this modification will also protect the dashboard, as it uses the Admin API.

See below (Error 401) - suggesting the dashboard is using the Admin Express Endpoint

Screenshot 2023-12-28 at 17.40.41826×547 45.8 KB

Instead of just "including" the list of addrs from a JSON file, you can make a proper Javascript module, i.e. this simple whitelist.js file:

// Allowed ip addresses
const whitelist = [
  "127.0.0.1",                    /* Localhost */
  "192.168.1.0/24"                /* Private Network */
]

module.exports = whitelist

Then you can use require in your settings.js like you did before...

> const ipAddrs = require("./whitelist")
[ '127.0.0.1', '192.168.1.0/24' ]

Indeed!

How the whitelist (blocklist in reverse) is fed the IP's - is entirely variable

To use a whitelist... do you need to block all other IP's that are not in the whitelist?

Nope.

The check is -> is this IP in the allowed list, if not... Do One!

The Node JS blocklist should be used as follows

if(BlockList.check(<ip>)){
   // Do One!!
} else {
   // Allow
}

I'm just reversing it

if(BlockList.check(<ip>)){
   // Allow
} else {
   // Do One (401)
}

its a shame they call it a block list for this use case.
In theory you could switch it - but will likely be less effective

Hi all,

I like this discussion. But one thing that stands out to me is, that you only talk about IPV4.

Don’t forget the ever growing other part of the internet: IPV6

It does support IPv6

Just have to modify the code to state it’s an IPV6 address

If you refer to the NodeJS blocklist class, the code will need modifying so it knows when to state it’s an IPv6s address.

I have updated the security FAQ with references to Node.js security best practices, the blocklist functions and this thread.