HomeHome AutomationIncreasing NodeRED security: 5 min guide

Increasing NodeRED security: 5 min guide

How secure is your NodeRED server?

Interaction with various devices and systems inside and outside your local network is the key element of IoT and home automation. The moment you’ll take things outside of your local network you should start paying attention to the security of your connections. Don’t leave your home automation system exposed to hacks, and malicious attacks. I accidentally exposed by DNS server in one of my previous videos which sparked some security-related write-ups and this article too. Increase NodeRED security with these simple steps.

NodeRED security

Let’s start with the basics. Change your Raspberry Pi password. No matter how good is your NodeRED security, if you leave your SSH access exposed, all the hard work is for nothing. If your Raspberry Pi is secured already, open up the NodeRED settings file:

cd ~/.node-red
sudo nano settings.js

Just before you open this file however it’s good to generate the hash (scrambled password string) for your password(s). You will need the following:

  • NodeRED admin access (username, password)
  • NodeRED HTTP & flow access (username, password)
  • NodeRED Static Auth (optional)

NodeRED admin
This is is your access to the NodeRED editor
NodeRED HTTP and flow
This is your authentication for HTTP requests and access to nodes (ie: Dashboard UI access)
NodeRED Static Auth
Authentication for static content like hosted pages etc.

To generate hashes, you can use the terminal command: node-red-admin hash-pw or use this link in a browser if you rather copy and paste the hashes from a computer. You will need a minimum one set, but creating a different username/password combination for your UI elements accessible to others is STRONGLY RECOMMENDED!

Before we jump into the credentials, consider changing the default PORT number (1880). It will make life harder for anyone trying to spam random IP addresses:

module.exports = {
// the tcp port that the Node-RED web server is listening on
uiPort: process.env.PORT || 1880,

edit that port number, make sure it’s in use already. Also, remember to set up the correct port forwarding rules if the port has been changed.

NodeRED security – login credentials

It’s time to add the login credentials. Open the settings.js files and pick a username of your choice, then enter the hashed password. These are the credentials responsible for logging into the NodeRED.

 // Securing Node-RED
// -----------------
// To password protect the Node-RED editor and admin API, the following
// property can be used. See https://nodered.org/docs/security.html for details.
adminAuth: {
type: "credentials",
users: [{
username: "USERNAME",
password: "PASS_HASH",
permissions: "*"

NodeRED security – HTTP and node access

In a similar fashion, edit the line responsible for the access. You will need a username and password hash. If a 3rd party issues HTTP requests to your server DON’T use the login credentials. HTTP requests will expose that password.

// To password protect the node-defined HTTP endpoints (httpNodeRoot), or
// the static content (httpStatic), the following properties can be used.
// The pass field is a bcrypt hash of the password.
// See https://nodered.org/docs/security.html#generating-the-password-hash
httpNodeAuth: {user:"user",pass:"pass_hash"},

NodeRED security – HTTPstatic (optional)

If you are going to serve static content, you may as well add the proper authentication there:

  // To password protect the node-defined HTTP endpoints (httpNodeRoot), or
// the static content (httpStatic), the following properties can be used.
// The pass field is a bcrypt hash of the password.
// See https://nodered.org/docs/security.html#generating-the-password-hash
httpNodeAuth: {user:"user",pass:"pass_hash"},
httpStaticAuth: {user:"user",pass:"pass_hash"},

NodeRED security – SSL certification

Lastly, you can secure the editor, dashboard and HTTP requests sent (a very good idea since the URL contains exposed credentials) with SSL.  I have a full separate guide on how to do this, so I’m going to link it here.

Remember, once the SSL has been added to your server, you have to update all the URLs. The access, HTTP requests, and pages will start now with HTTPS not HTTP. If you use IFTTT Webhooks, and other services with hardcoded URLs, you need to update these too.


Update the insecure connections using the setting.js file and redirect it to the HTTPS with this line:

// The following property can be used to cause insecure HTTP connections to
// be redirected to HTTPS.
requireHttps: true

Extra options – 2FA

If you want, you can apply an extra layer of security to your triggers too! I have created a two-factor authentication system for NodeRED which will issue notifications to Android device via Tasker.


There are a couple of more advanced options in the settings.js file. Consider them if you will. If you follow my advice from this tutorial, your NodeRED server will be more secure and harder to attack. Remember working with any external services exposes your server to attacks. Leaving it unprotected is unwise. I wrote this guide as an intro section for the NodeRED for beginners: Connectivity tutorial to make sure your first server is protected! If you are new to NodeRED – check out the guide!


Nothing says "Thank you" better than keeping my coffee jar topped up!


Support me on Patreon and get an early access to tutorial files and videos.


Bitcoin (BTC)

Use this QR to keep me caffeinated with BTC: 1FwFqqh71mUTENcRe9q4s9AWFgoc8BA9ZU

Smart Ideas with

Automate your space in with these ecosystems and integrate it with other automation services


Learn NodeRED

NodeRED for beginners: 1. Why do you need a NodeRED server?

To server or not to server? That's a very silly question!

Best Automation Projects

Tuya SDK for beginners: Intro to Tuya Cloud API

Working with Tuya Cloud API. A guide to Cloud automation for beginners, get started with REST!

NEST your old thermostat under $5

Nest-ing up your older thermostat under $5

Nora – Google Assistant in NodeRED

Integrate Google Assistant with NodeRED thanks to Nora - NodeRED home automation

Sonoff Zigbee Bridge – review

Sonoff line up will soon include Sonoff Zigbee Bridge and more Zigbee sensors - here is the first look

DIY Smart Washing Machine – for about 15 bucks!

Learn how to add washing machine notifications to your Google Home on the cheap

Smart Home

I wish I had known about the SMLIGHT ZigBee/Thread Coordinators sooner!

SMLIGHT coordinators are the perfect choice for anyone just diving into ZigBee. SLZB-06 series is easy to use and comes with future-proofing Thread support.

Sonoff ZigBee Bridge U isn’t what you think!

I expected Sonoff ZB Bridge U to be a next gen ZigBee bridge with Matter support. Turns out, there is much more to talk about!

Aqara “Everything” M3 Hub

When I started my home automation adventure, the current problem was the number of ecosystems needed to outfit your smart home. Aqara M3 Hub has a long list of protocols to match that!

Sonoff ZB Micro did it! (and bonus ZigBee device)

A long time ago, I took an angle grinder to the humble Sonoff Micro, will I do this again? Meet Sonoff ZB Micro and Sonoff ZB Contact (SNZB-04P) - the latest devices from the ZigBee ecosystem.

This keyless entry is PRO: SwitchBot Lock Pro

SwitchBot Lock Pro offers comprehensive upgrades over the original, combining enhanced design, stronger performance, and a faster mechanism for keyless entry