Securing Node-red endpoints

Hi There,
I created bunch of end points which can be accessed by anyone. can anyone please suggest how I can protect node-red api end points (Token based or any alt ways)

Thanks in Advance,
Regards,
Sangamesh

Hi @SangamBgk,

Are you referring to HTTP-IN nodes or http admin endpoints?

If the former, there are various ways, from the easiest, to the more involved.

Easiest:
Include in your URI a parameter placeholder.
/SomeURI/:Token/APIMethod

You can then check the value at this path: msg.req.params.Token and react accordingly i.e. send a 401 if its not the expected value.

The problem here - its a plant text value - but you can develop a means to generate a token prior to this call. i.e create an endpoint to generate a token with a predefined shelf life, providing the POSTED value contains some valid credentials.

You could also just require some header information, that must be valid, for the call to be honored.

The more involved:
Add middlware to settings.js (httpNodeMiddleware)
This will however apply to every HTTP-IN NODE.

Example - I do this to correct a mimetype from one of our servers.
but you can apply the same tactic, to authorize the incoming request, and if it isn't to be authorized.
return a 401 (and don't call next())

httpNodeMiddleware: function (req, res, next) {
        var ContentType = req.headers['content-type'];
        if (ContentType === 'xml' || ContentType === 'json') {
            req.headers['content-type'] = 'application/' + ContentType;
        }
        next();
},

There are also nodes that add security to the http in flow - But I have not had much exp with them.

1 Like

There are various posts on the forum about securing Node-RED applications.

Probably the easiest way is to use a reverse proxy and do the security there. Then you don't have to mess with Node-RED.