Nodered hacked by adding invisible nodes

I feel you on that!

Issues with making security baked into node-red:

  1. as node-red is open source any measure created to stop something is just a well documented attack vector to be broken. By implementing external measures they can be different by each creator. Security by obscurity is not the best method but when combined with known working practices it makes each person's server a new nut to crack. Most hacks are just script kiddies bots banging on doors looking for the low hanging fruit.

  2. breaking changes. If node red starts baking in security it causes server admins to loose their shit. Having to bypass or figure out how to work around changes can be a pain. I have node-red instances out there still running ver.0.18.x because of this. I keep them dockered or use custom API's to talk to them and never let them see the big bad internet.

  3. Development time. Security is hard and very time consuming to code up. It takes a multiple more ammount of time to write security related code than it does to write a new node feature .... well most of the time.

  4. Lastly, entry barrier for new users. If you move the security to node-red It will require new users to learn allot more to get node-red up and running. Reading allot more documentation. And issues when creating their setup. Allot of the issues/learning your having with securing node-red using outside resources will just be pushed into node-red.

I stated this many times and its not directed to you @rko ... its for all. With internet security now adays you have 2 choices.
LEARN LEARN LEARN for months ... and then keep leaning because new vectors will happen.
or pay someone else to do it for you ----->