Is http node secure?

Guacamole-1 · 17 October 2020 22:12

hi, im new to node red and i would like to know if the http nodes are secure if exposed to the internet?
is it secure if i have a simple website with node exposed to the internet?

michaelblight · 18 October 2020 01:48

You can put NR behind a reverse proxy (eg. NGINX) and use SSL, or configure NR to use SSL (see https://notenoughtech.com/home-automation/how-to-add-ssl-certification-to-nodered/). And I use node-red-contrib-httpauth for simple authentication.

TotallyInformation · 18 October 2020 16:40

Quick answer is that Node-RED is not secure without additional protection. This is not the "fault" of the http-in node nor of Node-RED, it is common amongst applications that provide microservices. They focus on what is important to them and assume that you will do whatever is needed in order to protect your services and devices.

As Michael says, one of the best approaches for protection is to use something like NGINX, HAproxy or Caddy to provide a reverse proxy and configured to provide HTTPS. You can also use it to take care of authentication too if you want to.

There are plenty of blog posts and articles that cover this.

ristomatti · 19 October 2020 13:29

I wonder if @Guacamole-1 meant if the http in nodes pose a risk for Node-RED compromise as such? Not necessarily if the data is transmitted securely/encrypted.

TotallyInformation · 19 October 2020 16:21

I personally would not want to separate those 2.

I don't think that the http-in node represents any more of a risk than Node-RED itself. After all, all it does is to use the existing ExpressJS server to set up an incoming path.

The point that I always try to get across is that Internet/web security is NEVER straight-forwards. It is always easier to get wrong than to get right simply because there are so many moving parts that have all to be correctly configured. This shouldn't be a surprise in this day and age given the number of times - PER DAY - we see security compromises of web-based services.

That's why I nearly always recommend putting your security outside of Node-RED. It is generally easier to correctly configure separated systems doing specific tasks than trying to squeeze everything into a single, complex configuration. It also gives you options for defence-in-depth.

ristomatti · 19 October 2020 16:45

Mostly agree and of course without adding a proxy, you would also have to expose the admin endpoints which is not good either (unless disabling it from the settings).

system · 2 November 2020 16:45

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Exposing a HTTP node without SSL in secured NR General	2	450	30 November 2018
Securing Node-Red General security	33	8204	24 December 2023
Accessing node-RED using local IP General	14	1804	7 February 2022
Setting up a secure connection General	7	406	31 March 2021
Node red access from outside with HTTP authentication General	13	1921	10 July 2021

Is http node secure?

Related Topics