I've set up a Node-RED UI that is publicly accessible via an Nginx reverse proxy. In this setup, my Node-RED instance is password-protected, and the UI I've published is designed for display purposes only – it doesn't include any interactive features for visitors, just data presentation.
Is there any additional security measures I should consider. Currently, the setup includes:
- Password protection for Node-RED.
- The UI is read-only with no interactive elements.
Any suggestions or insights would be greatly appreciated.
There have been a lot of discussions on securing NR recently.
Please have a search on the forum otherwise people are going to have to repeat a lot of advice
There are the usual things. Make sure you are using https and make sure that you run the public-facing site against some of the free security, performance and accessibility checkers.
HTTPS security should be used even if users are not inputting.
Ideally, don't expose the Editor to the Internet directly. If remote access is needed, better to use it indirectly using Cloudflare Zero Trust or similar. It is not recommended to rely on Node-RED logins for production use (or at least I don't recommend it), use something more battle tested - Zero Trust has a built-in service for example with 50 users on the free tier.