By default, the Node-RED editor is not secured - anyone who can access the IP address and port it is running on can access the editor and deploy changes. This is only suitable if you are running on a trusted network.
This section describes how you can secure Node-RED. The security is split into two parts:
To enable user authentication on the Editor and Admin API, add the following to
users property is an array of user objects. This allows you to define
multiple users, each of whom can have different permissions.
This example configuration defines a single user called
admin who has permission
to do everything within the editor and has a password of
password. Note that
the password is securely hashed using the bcrypt algorithm.
httpAdminAuthcould be used to enable HTTP Basic Authentication on the editor. This option is deprecated and should not be used.
To generate a suitable password hash, you can use the
The tool will prompt you for the password you wish to use and then print out the hash that can be copied into the settings file.
Alternative, you can run the following command from within the Node-RED install directory:
node -e "console.log(require('bcryptjs').hashSync(process.argv, 8));" your-password-here
The example configuration above will prevent anyone from accessing the editor unless they log in.
In some cases, it is desirable to allow unlogged in users some level of access.
Typically, this will be giving read-only access to the editor. To do this,
default property can be added to the
adminAuth setting to define
the default user:
Prior to Node-RED 0.14, users could have one of two permissions:
*- full access
read- read-only access
From Node-RED 0.14 the permissions can be much finer grained and to support that, the property can either be a single string as before, or an array containing multiple permissions.
Each method of the Admin API defines what permission level is needed to access it.
The permission model is resource based. For example, to get the current flow configuration,
a user will require the
flows.read permission. But to update the flows they will require
By default, access tokens expire after 7 days after they are created. We do not currently support refreshing the token to extend this period.
The expiration time can be customised by setting the
adminAuth setting. This defines, in seconds, how long a token is valid
for. For example, to set the tokens to expire after 1 day:
adminAuth property set, the Admin API documentation
describes how to access the API.
Rather than hardcode users into the settings file, it is also possible to plug in custom code to authenticate users. This makes it possible to integrate with existing authentication schemes.
The following example shows how an external module can be used to provide the custom authentication code.
adminAuthproperty in settings.js to load this module:
The routes exposed by the HTTP In nodes can be secured using basic authentication.
httpNodeAuth property in your
settings.js file can be used to define a single
username and password that will be allowed to access the routes.
pass property uses the same format as
adminAuth. See Generating the password hash for more information.
Access to any static content defined by the
httpStatic property can be secured
httpStaticAuth property, which uses the same format.
passproperty was expected to be an MD5 hash. This is cryptographically insecure, so has been superseded with bcrypt, as used by
adminAuth. For backwards compatibility, MD5 hashes are still supported - but they are not recommended.