I am aware that there are numerous valuable guides and articles available concerning the security of Node-RED. I have extensively perused many of these resources and endeavored, to the best of my ability, to adhere to the recommended practices and integrate them into my project. For those who may be interested, I will provide a succinct overview of my project and the security measures I have undertaken. Your insights and suggestions are most welcome.
In my project, I interact with and manage a dosing pump via a Raspberry Pi. The Raspberry Pi hosts a Node-RED flow responsible for collecting data, which is subsequently transmitted to my MQTT broker. This broker operates on a Virtual Machine (VM) under my ownership. On this VM, another Node-RED flow functions, enabling me to visualize the MQTT data through a dashboard and exert control over the pump as needed. The structure is simple:
PUMP <----> RASPBERRY PI <-----> NODE-RED <------> MQTT <-------> NODE-RED (dashboard)
To access the dashboard and manage the pump, I utilize a URL. I've taken the following security measures to mitigate potential risks:
Enhanced Security for Editor and Dashboard:
I have fortified the security of both the Node-RED editor and dashboard by implementing robust ID and password requirements. This ensures that only authorized individuals can access and manipulate these interfaces.
Implementation of HTTPS:
I obtained an HTTPS certificate from my hosting provider of the virtual machine. This certificate has been integrated into my Node-RED setup, restricting access to the dashboard and editor solely through HTTPS, thus encrypting data transmission.
I have altered the URL endpoints necessary to access the editor and dashboard interfaces. For instance, the dashboard can be accessed via "demo.mywebsite.com," whereas the editor requires "mywebsite.com is available for purchase - Sedo.com"
I would greatly appreciate any assessment of the steps I have taken thus far, as well as any recommendations or insights you may have for further enhancements. In the future, I am considering a proxies such as nginx. My research has revealed that utilizing a proxy constitutes a pivotal security layer, thereby fostering a greater sense of confidence in the system's overall security.