How to Secure Node-RED Dashboard

on

How to Secure Node-RED Dashboard

Password Hashing with "node-red admin hash-pw":

Node-RED provides a command-line tool, node-red admin hash-pw to generate hashed passwords. Using hashed passwords adds an extra layer of security compared to storing plain-text passwords. Here's how you can use this tool to generate a hashed password:

You'll be prompted to enter and confirm the desired password. The tool will then output the hashed version, which you can use in the Node-RED settings.

Updating settings.js:

Next, integrate the hashed password into the Node-RED settings.js file. Locate the settings.js file in your Node-RED installation directory(Example: C:\Users\Parrot\.node-red) and open it in a text editor. Search for the section related to dashboard authentication(httpNodeAuth):

/** To password protect the node-defined HTTP endpoints (httpNodeRoot),        
* including node-red-dashboard, or the static content (httpStatic), the
* following properties can be used.
* The `pass` field is a bcrypt hash of the password.
* See https://nodered.org/docs/security.html#generating-the-password-hash
*/
//httpNodeAuth: {user:"user",pass:"hashed_password_here"},
//httpStaticAuth: {user:"user",pass:"$2a$08$zZWtXTja0fB1pzD4sHCMyOCMYz2Z6dNbM6tl8sJogENOMcxWV9DN."},

Replace "hashed_password_here" with the output generated by the "node-red admin hash-pw" command. This configuration specifies the username ("admin") and the corresponding hashed password for accessing the Node-RED Dashboard.

Conclusion:

By following these steps, you can significantly improve the security of your Node-RED Dashboard. Utilizing hashed passwords adds a layer of protection, mitigating the risk of unauthorized access and potential security breaches. Regularly review and update security configurations to stay ahead of emerging threats in the dynamic landscape of IoT and dashboard applications.

Download Section:

Original settings.js file

        /** To password protect the node-defined HTTP endpoints (httpNodeRoot),
         * including node-red-dashboard, or the static content (httpStatic), the
         * following properties can be used.
         * The `pass` field is a bcrypt hash of the password.
         * See https://nodered.org/docs/security.html#generating-the-password-hash
         */
        //httpNodeAuth: {user:"user",pass:"$2a$08$zZWtXTja0fB1pzD4sHCMyOCMYz2Z6dNbM6tl8sJogENOMcxWV9DN."},
        //httpStaticAuth: {user:"user",pass:"$2a$08$zZWtXTja0fB1pzD4sHCMyOCMYz2Z6dNbM6tl8sJogENOMcxWV9DN."},

Modified settings.js file with 1 user

        /** To password protect the node-defined HTTP endpoints (httpNodeRoot),
         * including node-red-dashboard, or the static content (httpStatic), the
         * following properties can be used.
         * The `pass` field is a bcrypt hash of the password.
         * See https://nodered.org/docs/security.html#generating-the-password-hash
         */
        httpNodeAuth: {user:"admin",pass:"$2b$08$M0/GHpeUMO2cR70u3HbUKu9/cZurxUiTRWCe0/vg28WyY16Ez9qlC"},
        //httpStaticAuth: {user:"user",pass:"$2a$08$zZWtXTja0fB1pzD4sHCMyOCMYz2Z6dNbM6tl8sJogENOMcxWV9DN."},

Comments

Post a Comment