NSQ components expose HTTP/TCP interfaces and require network-layer protection.
- Bind nsqd/nsqlookupd/nsqadmin to private networks.
- Restrict admin UI access with reverse proxy auth/TLS.
- Limit producer and consumer hosts via firewall rules.
- Protect topic/channel naming and deletion operations.
- Monitor message backlog growth and consumer error rates.
- Keep NSQ binaries updated and from trusted sources.