Node-RED has a lightweight runtime but can execute arbitrary JavaScript logic and install community nodes. Production security depends on strict editor access and runtime governance.
adminAuth)Node-RED official guidance requires securing the editor with adminAuth.
Required controls:
adminAuth with hashed passwords and minimum role accesscredentialSecret and secure flow credentialsNode-RED encrypts credential fields with credentialSecret.
Hardening baseline:
credentialSecret in settings.jsflows_cred.json and credentialSecret togetherNode-RED supports HTTPS configuration and should not run admin traffic over plain HTTP in production.
Transport controls:
Third-party nodes are executable code with network/system access.
Supply-chain controls:
Node-RED runtime often integrates with local files, MQTT brokers, and shell commands.
Runtime controls:
--privilegedadminAuth, HTTPS, credential handling): https://nodered.org/docs/user-guide/runtime/securing-node-redAny questions?
Feel free to contact us. Find all contact information on our contact page.