Interaction with various devices and systems inside and outside your local network is the key element of IoT and home automation. The moment you’ll take things outside of your local network you should start paying attention to the security of your connections. Don’t leave your home automation system exposed to hacks, and malicious attacks. I accidentally exposed by DNS server in one of my previous videos which sparked some security-related write-ups and this article too. Increase the NodeRED security with these simple steps.

NodeRED security

Let’s start with the basics. Change your Raspberry Pi password. No matter how good is your NodeRED security, if you leave your SSH access exposed, all the hard work is for nothing. If your Raspberry Pi is secured already, open up the NodeRED settings file:

cd ~/.node-red
sudo nano settings.js

Just before you open this file however it’s good to generate the hash (scrambled password string) for your password(s). You will need the following:

  • NodeRED admin access (username, password)
  • NodeRED HTTP & flow access (username, password)
  • NodeRED Static Auth (optional)

NodeRED admin
This is is your access to the NodeRED editor
NodeRED HTTP and flow
This is your authentication for HTTP requests and access to nodes (ie: Dashboard UI access)
NodeRED Static Auth
Authentication for static content like hosted pages etc.

To generate hashes, you can use the terminal command:

node-red-admin hash-pw

or use this link in a browser if you rather copy and paste the hashes from a computer. You will need a minimum one set, but creating a different username/password combination for your UI elements accessible to others is STRONGLY RECOMMENDED!

Before we jump into the credentials, consider changing the default PORT number (1880). It will make life harder for anyone trying to spam random IP addresses:

module.exports = {
// the tcp port that the Node-RED web server is listening on
uiPort: process.env.PORT || 1880,

edit that port number, make sure it’s in use already. Also, remember to set up the correct port forwarding rules if the port has been changed.

NodeRED security – login credentials

It’s time to add the login credentials. Open the settings.js files and pick a username of your choice, then enter the hashed password. These are the credentials responsible for logging into the NodeRED.

 // Securing Node-RED
// -----------------
// To password protect the Node-RED editor and admin API, the following
// property can be used. See https://nodered.org/docs/security.html for details.
adminAuth: {
type: "credentials",
users: [{
username: "USERNAME",
password: "PASS_HASH",
permissions: "*"
}]
},
NodeRED security – HTTP and node access

In a similar fashion, edit the line responsible for the access. You will need a username and password hash. If a 3rd party issues HTTP requests to your server DON’T use the login credentials. HTTP requests will expose that password.

// To password protect the node-defined HTTP endpoints (httpNodeRoot), or
// the static content (httpStatic), the following properties can be used.
// The pass field is a bcrypt hash of the password.
// See https://nodered.org/docs/security.html#generating-the-password-hash
httpNodeAuth: {user:"user",pass:"pass_hash"},
NodeRED security – HTTPstatic (optional)

If you are going to serve static content, you may as well add the proper authentication there:

  // To password protect the node-defined HTTP endpoints (httpNodeRoot), or
// the static content (httpStatic), the following properties can be used.
// The pass field is a bcrypt hash of the password.
// See https://nodered.org/docs/security.html#generating-the-password-hash
httpNodeAuth: {user:"user",pass:"pass_hash"},
httpStaticAuth: {user:"user",pass:"pass_hash"},
NodeRED security – SSL certification

Lastly, you can secure the editor, dashboard and HTTP requests sent (a very good idea since the URL contains exposed credentials) with SSL.  I have a full separate guide on how to do this, so I’m going to link it here.

Remember, once the SSL has been added to your server, you have to update all the URLs. The access, HTTP requests, and pages will start now with HTTPS not HTTP. If you use IFTTT Webhooks, and other services with hardcoded URLs, you need to update these too.

OR

Update the insecure connections using the setting.js file and redirect it to the HTTPS with this line:

// The following property can be used to cause insecure HTTP connections to
// be redirected to HTTPS.
requireHttps: true

Conclusion

There are a couple of more advanced options in the settings.js file. Consider them if you will. If you follow my advice from this tutorial, your NodeRED server will be more secure and harder to attack. Remember working with any external services exposes your server to attacks. Leaving it unprotected is unwise. I wrote this guide as an intro section for the NodeRED for beginners: Connectivity tutorial to make sure your first server is protected! If you are new to the NodeRED – check out the guide!

Support NotEnoughTech
A lot of time and effort goes into keeping NotEnoughTech alive! If my work helped you out, consider buying me a coffee or check out exclusive rewards available to Patreon supporters.
SHARE