HomeHome AutomationIncreasing NodeRED security: 5 min guide

Increasing NodeRED security: 5 min guide

How secure is your NodeRED server?

Interaction with various devices and systems inside and outside your local network is the key element of IoT and home automation. The moment you’ll take things outside of your local network you should start paying attention to the security of your connections. Don’t leave your home automation system exposed to hacks, and malicious attacks. I accidentally exposed by DNS server in one of my previous videos which sparked some security-related write-ups and this article too. Increase NodeRED security with these simple steps.

NodeRED security

Let’s start with the basics. Change your Raspberry Pi password. No matter how good is your NodeRED security, if you leave your SSH access exposed, all the hard work is for nothing. If your Raspberry Pi is secured already, open up the NodeRED settings file:

cd ~/.node-red
sudo nano settings.js

Just before you open this file however it’s good to generate the hash (scrambled password string) for your password(s). You will need the following:

  • NodeRED admin access (username, password)
  • NodeRED HTTP & flow access (username, password)
  • NodeRED Static Auth (optional)

NodeRED admin
This is is your access to the NodeRED editor
NodeRED HTTP and flow
This is your authentication for HTTP requests and access to nodes (ie: Dashboard UI access)
NodeRED Static Auth
Authentication for static content like hosted pages etc.

To generate hashes, you can use the terminal command: node-red-admin hash-pw or use this link in a browser if you rather copy and paste the hashes from a computer. You will need a minimum one set, but creating a different username/password combination for your UI elements accessible to others is STRONGLY RECOMMENDED!

Before we jump into the credentials, consider changing the default PORT number (1880). It will make life harder for anyone trying to spam random IP addresses:

module.exports = {
// the tcp port that the Node-RED web server is listening on
uiPort: process.env.PORT || 1880,

edit that port number, make sure it’s in use already. Also, remember to set up the correct port forwarding rules if the port has been changed.

NodeRED security – login credentials

It’s time to add the login credentials. Open the settings.js files and pick a username of your choice, then enter the hashed password. These are the credentials responsible for logging into the NodeRED.

 // Securing Node-RED
// -----------------
// To password protect the Node-RED editor and admin API, the following
// property can be used. See https://nodered.org/docs/security.html for details.
adminAuth: {
type: "credentials",
users: [{
username: "USERNAME",
password: "PASS_HASH",
permissions: "*"
}]
},

NodeRED security – HTTP and node access

In a similar fashion, edit the line responsible for the access. You will need a username and password hash. If a 3rd party issues HTTP requests to your server DON’T use the login credentials. HTTP requests will expose that password.

// To password protect the node-defined HTTP endpoints (httpNodeRoot), or
// the static content (httpStatic), the following properties can be used.
// The pass field is a bcrypt hash of the password.
// See https://nodered.org/docs/security.html#generating-the-password-hash
httpNodeAuth: {user:"user",pass:"pass_hash"},

NodeRED security – HTTPstatic (optional)

If you are going to serve static content, you may as well add the proper authentication there:

  // To password protect the node-defined HTTP endpoints (httpNodeRoot), or
// the static content (httpStatic), the following properties can be used.
// The pass field is a bcrypt hash of the password.
// See https://nodered.org/docs/security.html#generating-the-password-hash
httpNodeAuth: {user:"user",pass:"pass_hash"},
httpStaticAuth: {user:"user",pass:"pass_hash"},

NodeRED security – SSL certification

Lastly, you can secure the editor, dashboard and HTTP requests sent (a very good idea since the URL contains exposed credentials) with SSL.  I have a full separate guide on how to do this, so I’m going to link it here.

Remember, once the SSL has been added to your server, you have to update all the URLs. The access, HTTP requests, and pages will start now with HTTPS not HTTP. If you use IFTTT Webhooks, and other services with hardcoded URLs, you need to update these too.

OR

Update the insecure connections using the setting.js file and redirect it to the HTTPS with this line:

// The following property can be used to cause insecure HTTP connections to
// be redirected to HTTPS.
requireHttps: true

Extra options – 2FA

If you want, you can apply an extra layer of security to your triggers too! I have created a two-factor authentication system for NodeRED which will issue notifications to Android device via Tasker.

Conclusion

There are a couple of more advanced options in the settings.js file. Consider them if you will. If you follow my advice from this tutorial, your NodeRED server will be more secure and harder to attack. Remember working with any external services exposes your server to attacks. Leaving it unprotected is unwise. I wrote this guide as an intro section for the NodeRED for beginners: Connectivity tutorial to make sure your first server is protected! If you are new to NodeRED – check out the guide!

PayPal

Nothing says "Thank you" better than keeping my coffee jar topped up!

Patreon

Support me on Patreon and get an early access to tutorial files and videos.

image/svg+xml

Bitcoin (BTC)

Use this QR to keep me caffeinated with BTC: 1FwFqqh71mUTENcRe9q4s9AWFgoc8BA9ZU

Smart Ideas with

Automate your space in with these ecosystems and integrate it with other automation services

client-image
client-image
client-image
client-image
client-image
client-image
client-image
client-image
client-image

Learn NodeRED

NodeRED for beginners: 1. Why do you need a NodeRED server?

0
To server or not to server? That's a very silly question!

Best Automation Projects

NEST your old thermostat under $5

0
Nest-ing up your older thermostat under $5

Nora – Google Assistant in NodeRED

0
Integrate Google Assistant with NodeRED thanks to Nora - NodeRED home automation

Sonoff R3 DIY mode & why it sucks

0
Long awaited Sonoff R3 DIY mode is even worse than I expected.

Things they don’t tell you about IKEA Trådfri

0
There are things you should know about IKEA Tradfri before you make your purchase

Flashing ESP with Tasmotizer is a dream come true

0
How to flash Tasmota on ESP devices with new Tasmotizer tool

Smart Home

M5Stack UnitV2 update brings WiFi

0
M5Stack UnitV2 finally gets much needed WiFi update and I will show you how to make the settings stick

Flashing Tasmota on Sonoff POWR3

0
How to flash tasmota on Sonoff POWR3 and set it up correctly

Amped to 25 – Sonoff POWR3

0
It's bigger, better and comes with massive 25A current limit - for all your present needs - meet Sonoff POWR3

SwitchBot made an IP Camera

0
SwitchBot Indoor Cam is small and inexpensive 1080p camera with smart assistant support and 2 way communications

Best Arduino boards for home automation

0
Would you like to know what are the best Arduino boards for home automation? I pick 3 best boards from Arduino line up