Secure source code file flow.json


we have developed our IoT application on the node red platform. And now we want to deploy the developed application in the client production system. We have enabled HTTPS access and secured the editor by user name and password.

So no one from outside can connect to our node red platform.

but here the problem is, developed flow_hostname.json file is present in the local storage on the client production system. i.e. Under .nodered folder.

So our client can have the copy of our source file flow_hostname.json file. So how to protect the source file.?

Like in python, we can convert the .py file to .pyc (compiled python file) which means when we open the file it is not easy to understand.
Similarly, how we have to secure the flow_hostname.Json file on the client system.

Please do the needful. We are in the deployment phase.

I am looking forward to hear your valuable advices in this.

My advice is - dont lock your customer out.

If a contractor does this to me, i simply stop using them or I put it in the T+Cs.
If I have access to the internals, where I can debug a problem and fix it myself (i.e avoid unnecessary extended outages), I will re-use that contractor again and again.

Even if you could encrypt the flows file, it would need to be decrypted for node-RED to use it in the runtime, then what would stop the client from simply exporting your flow, and then importing it again in another system?

Hi @AnusudhanK7

this question gets asked from time to time on the forum - it's worth having a search to see the previous discussions so we don't have to repeat them all over again.

From a technical standpoint, it is a hard problem to fully secure any program if the end user has access to the device.

You cite compiling python to pyc as an example - there are lots of tools out there that can decompile pyc back into readable python. The same is true of all compiled languages.

There are certainly steps you could take to make it harder for the end user to access the information, but it will never be fully secure if they have command-line access.

For example, you could create a custom storage plugin for node-red that can handle decrypting the flows file. But you'd have to acknowledge the code to do that decrypting would be node.js code that a user could look at and reproduce for themselves. It would avoid the casual user from opening the flows file directly, but any determined user would be able to access the flow information.

As I said, have a search of the previous discussions on this topic. You'll soon see there isn't a magic solution to this.

Yeah, I understand. We don't want casual user to access the flows file. Could you please share the link,So that I can implement the same.

I have searched, but I was not able to find the topic you said. All we need is the primary level of source code(flow.json) protection.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.