Securing Node-Red with SSL and Username Authentication

node-red-ssl-iconOut of the box your connection to node-red is insecure.

If you are exposing node-red to the Internet or just want a more secure installation then you can:

  • Enforce an SSL connection.
  • Require Username and Password Authentication


When configuring multiple security settings I try to  configure one security setting at a time and test it before configuring the next.

Configuring SSL

To do that you will need to install a certificate and key on your node-red server.

In this tutorial we will be using a self signed certificate which we will create ourselves using openssl and I will be using raspberry pi to host node red.

Creating a Self Signed Certificate

1.Create a private key

openssl genrsa -out node-key.pem 2048

2. Create a certificate Request

openssl req -new -sha256 -key node-key.pem -out node-csr.pem

You will need to fill out a form the most important entry is near the end and is the common name field.

This should be the FQDN of the server hosting nod-red or the IP address. I used raspberrypi.home

3. Sign the Certificate with the Private key to create a self signed Certificate

openssl x509 -req -in node-csr.pem -signkey node-key.pem -out node-cert.pem

Note: I created my files in  sub folder of my .node-red folder called nodecerts.

Editing the Node-Red Settings File

I recommend you use your own settings file while you are trying this. You can copy the settings file to the default location when you have tested the configuration.

The default settings file is called settings.js located in /usr/lib/node-modules/node-red/ folder by default. (Raspberry pi).

I copied this to my .node-red folder and renamed it mysettings.js.

You need to do the following:

un-comment the line

var fs=require("fs")

Which is near the top of the file.

In the AdminAuth section un-comment the https section and edit as shown in the screenshot below:


There is another setting

requireHttps: true,

Note: there should be a comma at the end

This should cause a redirect to https if you try connecting to http.

Note:I didn’t get this to work with SSL so you may need to skip this.

You can now start node-red using:

node-red -s mysettings.js

Now when you connect using the browser you should get a certificate warning which you can override.


Username and Password Authentication

The Node-Red Editor and Admin API support two types of authentication:

  • username/password credential based authentication
  • OAuth/OpenID  authentication -since Node-RED 0.17:

On node-red there are three places were you can configure/require authentication.

  • The Admin console- Node red editor
  • Nodes
  • Static Pages

In this section we will look at username and password authentication for the admin console.

The default settings file has a section called Securing node red which is commented out and serves as a template.


The default entry shows the userAdmin with a password of password (hashed) and all permissions (* wildcard).

You can create additional users by copying the users section and editing accordingly.


Note: The password hash for steve is different than that of admin,but the actual password is the same. This is how the bcrypt algorithm works

Steve has got read permissions which means that he cannot edit or create new flows.

Generating Passwords

You can create passwords for use in the settings file by using the admin command line hash-pw command as follows:


If you right click on the password you can copy it using CRT+C.

When you try to connect to the admin page you should get a login screen.


You can also use online bcrypt tools for creating the passwords like this one.

Securing The Dashboard

To secure the node-red dashboard use the httpNodeAuth setting.

Only a single user account is allowed.

httpNodeAuth: {user:"fred",pass:"$2a$04$3gkGX/Q4VZ//F37kWvSU9eE9EM1WO2rdWk1oj/kfXIbeBON5eA56S"},

You create the passwords using the hash-pw command line tools as before.

When you try and access the page you should be prompted to login.


Securing Static Pages

Node-red can serve static web pages. These web pages are served from the usr/lib/node-modules/public folder by default.

You can change to location by using the httpStatic setting in the settings file.

Generally you would want to move it to a folder in your home directory e.g.

httpStatic ‘/home/steve/.node-red/node-red-static/’

You can secure this folder using the httpStaticAuth setting.


You create the passwords using the hash-pw command line tools as before.

When you try to access the page you should be prompted to login.node-red-static-login
Note: Only a single account is possible. It also appears to clash with the httpNodeAuth setting which is used to secure the dashboard.
If using both use the same username and password for both.


On a working system tightening the security on your node-red installation is important.

Requiring username/password authentication and SSL is a minimum requirement. See Exposing Node-Red to the Internet

Resources and Related Tutorials

Please rate? And use Comments to let me know more
[Total: 3    Average: 3.3/5]


  1. Hello Steve,
    thank you for the great tutorial. After setup ssl, i opend the editor. I get a „connection lost“ message after a second. Clearing the cache of the browser didnt solve this.
    Any idea?

  2. Hi again Steve,
    Fantastic tutorial and now I have id and password set up on node red and dashboard. I have followed your tutorial to the letter but am confused over the SSL certs. When I logon with my chrome brower using https it still says not secure and i have to click on the advance button to access my website. Is there anything more I need to do to get SSL working correctly.
    Cheers Don…

    1. Don
      No that is normal as you are using a self signed cert and the browser doesn’t know about it. If you add it to your certs it will get rid of the error message but if you access it from a browser on another computer it will appear again. It is nothing to worry about it us still using SSL.

  3. Hi,
    Thanks for the instructions. No login window appears when I try to access either the editor interface of the ui. For the editor I just get the message that the site can’t be reached. I can access the ui, it is read-only. there is no promt for user or password anywhere. Do you have any ideas?


    1. Try closing and opening the browser.
      If no joy send me your setting file using the ask-steve page and I’ll take a look. When you do let me know the password so I can check.

  4. hi, i am using httpNodeAuth but once i login there is no logout button or something like that, and i must change the password or user if i want to login again, why?, thanks

    1. Hi
      Hadn’t really noticed until you mentioned it. The login is a security feature that probably not many people currently us as most implementations are Internal.
      I’ll try to find time to explore it again to see if there are other options available.

  5. Hello Steve,

    thanks for this awesome guide.
    Do you know how to setup a proxy config for node-red? I only read something about using environment variables, i defined them but it still won’t work.

    HTTP_PROXY -> HTTP_PROXY=http://url
    HTTPS_PROXY -> HTTPS_PROXY=http://url

    im using node-red with IBM Watson Assistant (conversation) and the request fails because of the proxy.

    error message of the node-red server:
    [error] [watson-conversation-v1:chatbot] Error: tunneling socket could not be established, cause=connect ECONNREFUSED

    1. Hi
      When I did it I used a nginx server and it involves zero change on node-red.
      I had never use nginx and it was pretty straightforward. I can send you my nginx config file if you want just use the ask steve page.

  6. I have followed this link.

    But when i am sending webhooks from shopify to node-red http end point . It is not sending any request then i have trued beeceptor and redirect request to my node-red end point there it is throwing below error-
    SSL or certificate issue while connecting.

    I have purchased SSL also for a domain and redirected that to my node-red IP but still the same issue is there.

    1. Am I correct in understanding you trying to connect shopify site to node-red?
      Can you access node-red with a normal browser?

  7. HI is there way for /ui to be secured without popout window but to enter credentials like on login screen, actual page?

    1. Not with the node-red settings. On Linux you can use iptables to do what you want on Windows you would need to use the windows firewall.

  8. Hi Steve,
    I could install everything as discribed. Thank you for the guidens.
    Where I do have a problem is when I call with the browser chrom or firefox my node-red with, I still get an unsave connection. It looks like they allow not anymore self signed Certificates.
    Is there a way to extend the self signed Certificate to fulfill the requested certificates by the browser chrom? I could not find anything on the internet regarding this.

    If I take the browser Edge, then it works well with a save connection to my node-red. It seems that Edge is not testing what other browsers now do.

    Thanks, Bruno

    1. I know Chrome has tightened up on SSL certificates but I would assume that it still allows access but with a warning. Is that what you are seeing?

Leave a Reply

Your email address will not be published. Required fields are marked *