Is http node secure?

hi, im new to node red and i would like to know if the http nodes are secure if exposed to the internet?
is it secure if i have a simple website with node exposed to the internet?

You can put NR behind a reverse proxy (eg. NGINX) and use SSL, or configure NR to use SSL (see https://notenoughtech.com/home-automation/how-to-add-ssl-certification-to-nodered/). And I use node-red-contrib-httpauth for simple authentication.

Quick answer is that Node-RED is not secure without additional protection. This is not the "fault" of the http-in node nor of Node-RED, it is common amongst applications that provide microservices. They focus on what is important to them and assume that you will do whatever is needed in order to protect your services and devices.

As Michael says, one of the best approaches for protection is to use something like NGINX, HAproxy or Caddy to provide a reverse proxy and configured to provide HTTPS. You can also use it to take care of authentication too if you want to.

There are plenty of blog posts and articles that cover this.

I wonder if @Guacamole-1 meant if the http in nodes pose a risk for Node-RED compromise as such? Not necessarily if the data is transmitted securely/encrypted.

I personally would not want to separate those 2.

I don't think that the http-in node represents any more of a risk than Node-RED itself. After all, all it does is to use the existing ExpressJS server to set up an incoming path.

The point that I always try to get across is that Internet/web security is NEVER straight-forwards. It is always easier to get wrong than to get right simply because there are so many moving parts that have all to be correctly configured. This shouldn't be a surprise in this day and age given the number of times - PER DAY - we see security compromises of web-based services.

That's why I nearly always recommend putting your security outside of Node-RED. It is generally easier to correctly configure separated systems doing specific tasks than trying to squeeze everything into a single, complex configuration. It also gives you options for defence-in-depth.

Mostly agree and of course without adding a proxy, you would also have to expose the admin endpoints which is not good either (unless disabling it from the settings).

1 Like