I've just published Node-RED 0.20.8. It contains two fixes:
Pass httpServer to runtime even when httpAdmin disabled Fixes #2272
This fixes an issue where if you disabled the HTTP Admin and Editor (by setting
false, Node-RED Dashboard would stop working. This means it is now much easier to create an instance of Node-RED that only exposes the dashboard and does not allow any admin access.