Security and node-red

I am aware that there are numerous valuable guides and articles available concerning the security of Node-RED. I have extensively perused many of these resources and endeavored, to the best of my ability, to adhere to the recommended practices and integrate them into my project. For those who may be interested, I will provide a succinct overview of my project and the security measures I have undertaken. Your insights and suggestions are most welcome.

Project Overview:
In my project, I interact with and manage a dosing pump via a Raspberry Pi. The Raspberry Pi hosts a Node-RED flow responsible for collecting data, which is subsequently transmitted to my MQTT broker. This broker operates on a Virtual Machine (VM) under my ownership. On this VM, another Node-RED flow functions, enabling me to visualize the MQTT data through a dashboard and exert control over the pump as needed. The structure is simple:

PUMP <----> RASPBERRY PI <-----> NODE-RED <------> MQTT <-------> NODE-RED (dashboard)

To access the dashboard and manage the pump, I utilize a URL. I've taken the following security measures to mitigate potential risks:

Enhanced Security for Editor and Dashboard:
I have fortified the security of both the Node-RED editor and dashboard by implementing robust ID and password requirements. This ensures that only authorized individuals can access and manipulate these interfaces.

Implementation of HTTPS:
I obtained an HTTPS certificate from my hosting provider of the virtual machine. This certificate has been integrated into my Node-RED setup, restricting access to the dashboard and editor solely through HTTPS, thus encrypting data transmission.

URL Restructuring:
I have altered the URL endpoints necessary to access the editor and dashboard interfaces. For instance, the dashboard can be accessed via "," whereas the editor requires " is available for purchase -"

I would greatly appreciate any assessment of the steps I have taken thus far, as well as any recommendations or insights you may have for further enhancements. In the future, I am considering a proxies such as nginx. My research has revealed that utilizing a proxy constitutes a pivotal security layer, thereby fostering a greater sense of confidence in the system's overall security.

best regards,

Are you accessing the dashboard on the same machine that is running NR?

I don't think there is a problem.
So long as you have an edit password set for NR.

That machine is on the bigger internet and only accessing NR's dashboard.

Seems like a sensible approach. Though assessment of system security is only really possible by looking at a detailed design and the actual implementation.

I always recommend the use of external security using tools like a proxy to separate the security and identity management from the Node-RED service. While it adds some complexity, it lets you use independent, battle-hardened security/IdM separate from Node-RED itself. Allowing centralised IdM, use of standard IdM and security tooling and separate update paths as well as being able to share settings between different web app tools.


This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.