Did you stop node installs
Yes I did, user cannot install new nodes by himself, it can be done by admin after security check.
block filing system access (file and watch nodes)
Each tenant has separate filesystem so no need for blocking access, just some tweaks
block access to the exec node
Is Node-RED running under its own OS user ID with files and folders locked down
There is no issue with that
Is the server locked down and isolated from any other servers/services to prevent access
The issue is here, in current architecture everything is in one openshift cluster. Apart of nodereds there are dbs, backends, frontends, some of endpoints eg from backend are not exposed to internet but only internally inside cluster and they are reachable by nodered http request node (issue) if i dont protect it. Also cluster is hosted inside internal network and there is the same issue with http request if I dont protect it.
There will be not issue if connection for other internal services will be not needed but in a way it is done (embeeded in express app) it is necessery to have this connection.
Have you ensured that environment variables are not being used to pass credentials
Yes, i simply disabled ability to use them by overwritting nodered code (as this functionality is also dont provided in settings)
Have you protected any credentials your NR server needs to access db's and other services
And not terribly secure I'm afraid.
Yup, but If someone will also need this feature he will probably be aware of all risks, presence of this functionality doesn`t lower whole nodered secuirity. There also might be use case if someone wants to add some headers to every outgoing http request.