Securing your node-red editor and dashboard on the Raspberry Pi

If you leave your node-red installation on your rpi running without a password you will be hacked and soon owned by people using your rpi as a bit coin mining device. It is easy to set a password for the editor and for the dashboard!:

Node-red is installed in /home/pi/.node-red (the . dot in front means you will normally not be able to see the directory as the dot means it is hidden. Therefore, set up your file manager to show hidden files. Alternatively, if you are using the terminal you can use ls -a or ls -al in the /home/pi directory to see all that is there).

Edit the settings.js file with

nano settings.js

Uncomment this section in the settings.js file:

adminAuth: {
type: "credentials",
users: [{
username: "admin",
password:"xxxhash key is pasted herexxxx",
permissions: "*"
}]
},

You will need to generate a hash with node-red-admin and type the hash-pw command. The hash key you paste above in the field xxxhash key is pasted herexxxx (keep the ” ” signs and dont mess up the [ ] {} , stuff).

You will probably have to install the node-red-admin tools (google how to do that with npm) to be able to use node-red-admin

For the dashboard you do the same procedure but you now un-comment this line

httpNodeAuth: {user:"user",pass:"xxxxdashboard hash key is pasted herexxxx"},

Make sure to keep all commas etc!
If you are uncertain to what directory your rpi reads the settings.js file from, you can start the node-red with node-red-pi and look at the messages in the console. It will report the location and file it uses. Dont edit the wrong settings.js file … there are several installed on your pi it seems

Restart the node red
IMPORTANT! CLEAR THE CACHE of your web browser. If not you will not see the password on the editor and the dashboard, as node-red uses cache quite heavily. See https://support.mozilla.org/en-US/kb/how-clear-firefox-cache for how to clear Firefox cache