I am creating an api to communicate from an iis webpage to node red and back to the page. I have a http in and a http out node. I am wanting to secure this api from unauthorized get request. Any suggestions on where I should start?
How/where are you running Node-RED? Is that also running on a Windows server with IIS? Because if so, there is a proxy tool that Microsoft use on Azure web services that you can use anywhere that integrates running Node-RED with IIS and opens up the ability to secure access using AD/AAD.
Generally, proxies are the most comprehensive way to secure things. Not only does it keep your Node-RED configuration simpler but you tend to get far more options and options that may be more battle-tested as well. Certainly, they will be more performant.
I would strongly recommend the use of a proxy server then. Something like NGINX, Caddy, or HAProxy with a suitable identity and access management integration. Especially if you are operating in an enterprise environment where you may already have an existing IdM setup.
Is there not a way I could just pass a token?
