HomeHome AutomationIncreasing NodeRED security: 5 min guide

Increasing NodeRED security: 5 min guide

How secure is your NodeRED server?

Interaction with various devices and systems inside and outside your local network is the key element of IoT and home automation. The moment you’ll take things outside of your local network you should start paying attention to the security of your connections. Don’t leave your home automation system exposed to hacks, and malicious attacks. I accidentally exposed by DNS server in one of my previous videos which sparked some security-related write-ups and this article too. Increase NodeRED security with these simple steps.

NodeRED security

Let’s start with the basics. Change your Raspberry Pi password. No matter how good is your NodeRED security, if you leave your SSH access exposed, all the hard work is for nothing. If your Raspberry Pi is secured already, open up the NodeRED settings file:

cd ~/.node-red
sudo nano settings.js

Just before you open this file however it’s good to generate the hash (scrambled password string) for your password(s). You will need the following:

  • NodeRED admin access (username, password)
  • NodeRED HTTP & flow access (username, password)
  • NodeRED Static Auth (optional)

NodeRED admin
This is is your access to the NodeRED editor
NodeRED HTTP and flow
This is your authentication for HTTP requests and access to nodes (ie: Dashboard UI access)
NodeRED Static Auth
Authentication for static content like hosted pages etc.

To generate hashes, you can use the terminal command: node-red-admin hash-pw or use this link in a browser if you rather copy and paste the hashes from a computer. You will need a minimum one set, but creating a different username/password combination for your UI elements accessible to others is STRONGLY RECOMMENDED!

Before we jump into the credentials, consider changing the default PORT number (1880). It will make life harder for anyone trying to spam random IP addresses:

module.exports = {
// the tcp port that the Node-RED web server is listening on
uiPort: process.env.PORT || 1880,

edit that port number, make sure it’s in use already. Also, remember to set up the correct port forwarding rules if the port has been changed.

NodeRED security – login credentials

It’s time to add the login credentials. Open the settings.js files and pick a username of your choice, then enter the hashed password. These are the credentials responsible for logging into the NodeRED.

 // Securing Node-RED
// -----------------
// To password protect the Node-RED editor and admin API, the following
// property can be used. See https://nodered.org/docs/security.html for details.
adminAuth: {
type: "credentials",
users: [{
username: "USERNAME",
password: "PASS_HASH",
permissions: "*"
}]
},

NodeRED security – HTTP and node access

In a similar fashion, edit the line responsible for the access. You will need a username and password hash. If a 3rd party issues HTTP requests to your server DON’T use the login credentials. HTTP requests will expose that password.

// To password protect the node-defined HTTP endpoints (httpNodeRoot), or
// the static content (httpStatic), the following properties can be used.
// The pass field is a bcrypt hash of the password.
// See https://nodered.org/docs/security.html#generating-the-password-hash
httpNodeAuth: {user:"user",pass:"pass_hash"},

NodeRED security – HTTPstatic (optional)

If you are going to serve static content, you may as well add the proper authentication there:

  // To password protect the node-defined HTTP endpoints (httpNodeRoot), or
// the static content (httpStatic), the following properties can be used.
// The pass field is a bcrypt hash of the password.
// See https://nodered.org/docs/security.html#generating-the-password-hash
httpNodeAuth: {user:"user",pass:"pass_hash"},
httpStaticAuth: {user:"user",pass:"pass_hash"},

NodeRED security – SSL certification

Lastly, you can secure the editor, dashboard and HTTP requests sent (a very good idea since the URL contains exposed credentials) with SSL.  I have a full separate guide on how to do this, so I’m going to link it here.

Remember, once the SSL has been added to your server, you have to update all the URLs. The access, HTTP requests, and pages will start now with HTTPS not HTTP. If you use IFTTT Webhooks, and other services with hardcoded URLs, you need to update these too.

OR

Update the insecure connections using the setting.js file and redirect it to the HTTPS with this line:

// The following property can be used to cause insecure HTTP connections to
// be redirected to HTTPS.
requireHttps: true

Extra options – 2FA

If you want, you can apply an extra layer of security to your triggers too! I have created a two-factor authentication system for NodeRED which will issue notifications to Android device via Tasker.

Conclusion

There are a couple of more advanced options in the settings.js file. Consider them if you will. If you follow my advice from this tutorial, your NodeRED server will be more secure and harder to attack. Remember working with any external services exposes your server to attacks. Leaving it unprotected is unwise. I wrote this guide as an intro section for the NodeRED for beginners: Connectivity tutorial to make sure your first server is protected! If you are new to NodeRED – check out the guide!

PayPal

Nothing says "Thank you" better than keeping my coffee jar topped up!

Patreon

Support me on Patreon and get an early access to tutorial files and videos.

image/svg+xml

Bitcoin (BTC)

Use this QR to keep me caffeinated with BTC: 1FwFqqh71mUTENcRe9q4s9AWFgoc8BA9ZU

Smart Ideas with

Automate your space in with these ecosystems and integrate it with other automation services

client-image
client-image
client-image
client-image
client-image
client-image
client-image
client-image
client-image

Learn NodeRED

NodeRED for beginners: 1. Why do you need a NodeRED server?

0
To server or not to server? That's a very silly question!

Best Automation Projects

Tuya SDK for beginners: Intro to Tuya Cloud API

0
Working with Tuya Cloud API. A guide to Cloud automation for beginners, get started with REST!

NEST your old thermostat under $5

0
Nest-ing up your older thermostat under $5

Nora – Google Assistant in NodeRED

0
Integrate Google Assistant with NodeRED thanks to Nora - NodeRED home automation

Sonoff Zigbee Bridge – review

0
Sonoff line up will soon include Sonoff Zigbee Bridge and more Zigbee sensors - here is the first look

DIY Smart Washing Machine – for about 15 bucks!

0
Learn how to add washing machine notifications to your Google Home on the cheap

Smart Home

We’ve seen this before: SwitchBot K10+ PRO

0
This is an odd one. Building on the success of SwitchBot K10+ they released SwitchBot K10+ PRO - but is the experience actually better?

Is this the smart panel we have waited for?

0
ITEAD has released a new smart panel: Sonoff NSPanel Pro 120 - have they learned the lesson from the terrible launch of the original Pro? Let's see what's new.

Aqara FP1E detects motionless humans

0
This isn't exactly a new device, it's an interaction of the original Aqara presence sensor. Aqara FP1E brings Matter, ZigBee and new triggers to your smart home

SwitchBot S10: cleaning re-imagined!

0
SwitchBot S10 promises unattended vacuuming and mopping so you can focus on things you love and care for. Does it deliver?

Sonoff for households and gardens

0
ITEAD released two ZigBee devices to manage water in your household and gardens. Now you can monitor the flow and dispense water with Sonoff SWV and prevent water damage using the Sonoff Water Leak sensor with a twist.