This is an architectural question rather than a bug report.
In many flows, constraint checks (thresholds, retries, allowlists, etc.) are implemented inside function nodes or after an HTTP node executes. That works for validation, but it does not structurally prevent side effects if the check is misplaced or bypassed.
I’m exploring a pattern where every outbound side-effect (HTTP call, DB write, model invocation) must first pass through a deterministic “admission control” step.
Simplified structure:
Inject
→ Build context object
→ HTTP request to policy endpoint
→ Switch (allow / deny)
→ Continue or stop
The goal is that no external call executes unless explicitly allowed.
Questions:
Is there a common pattern in production for enforcing a single gating node across flows?
Would this best be implemented as a subflow wrapper?
Is there a clean way to ensure outbound HTTP nodes cannot be used unless routed through a gate?
How do teams typically enforce structural control rather than relying on convention?
Interested in how others approach this from a design standpoint.
It feels like your real problem here is in the word "enforcing". Node-RED is a general-purpose compute platform and enforcement was not really one of it's original design parameters I do not believe.
Strict enforcement in a production environment must come from outside the context that the developer (in this case, the flow author) is working in. So, by design, Node-RED would surely struggle with this.
The common approach here is to move risky requests out of the user-facing Node-RED instance. Either to another, more tightly controlled instance, or to an API platform of some kind. That way, flow authors cannot bypass controls and any requests can be properly validated.
So that is the answer. Block user-facing Node-RED instances from querying anything other than your API servers and do the validation and enforcement there.
That makes sense. The point about enforcement needing to exist outside the author’s context is interesting.
The pattern I’ve been experimenting with is exactly what you described — routing outbound requests through an API layer that performs a deterministic authorization check before the request is allowed to proceed.
Well, I was an IT Enterprise Architect by trade (recently retired), my view would be that it depends on your local architecture. I'm not sure that the actual mechanism is all that critical, whatever fits into what you have.
Not knowing your environment, all I an really say is KISS.
Any work would really be best targeted at eithet 4.1.x or better yet the dev branch which is going to become NR 5.0.0 some time in the not too distant future and probably on NodeJS 24 at a minimum for NR 5.0.0 stuff
