Home / Secure Access / Node-RED
IoT & Workflow Automation
X-Forwarded-User
Zero-Day Shield

SSO + Zero-Day Protection for Node-RED

by OpenJS Foundation

Add SAML/OIDC SSO to Node-RED — Secure Your Flow-Based Automation Platform

Start Free Trial See How It Works
Overview

Why Node-RED Needs an Authenticated Proxy

Node-RED is a flow-based development tool for visual programming of IoT devices, API integrations, and automation workflows. Node-RED flows can control industrial equipment, process sensor data, trigger business workflows, and integrate with external APIs. A compromised Node-RED instance gives attackers control over automated processes, access to API credentials, and potential control of connected IoT devices. OnePAM adds enterprise SSO to Node-RED, ensuring only authorized automation engineers can design and deploy flows.

HTTP Header Authentication
X-Forwarded-User

Node-RED supports httpNodeAuth and adminAuth with custom authentication modules. OnePAM injects the authenticated user identity via HTTP headers, which Node-RED's proxy auth module trusts.

Zero-Day Risk Profile

Node-RED Vulnerability Risks

Without an authenticated proxy, these risks are directly exploitable by any network-reachable attacker.

Node-RED flows can execute arbitrary JavaScript and system commands
API credentials and tokens stored in flows are visible in the editor
IoT device controls accessible through flow endpoints can affect physical systems
Function nodes can read the filesystem and make network requests
The Challenge

Security Challenges with Node-RED

These are the risks organizations face when Node-RED is not behind an authenticated proxy.

Arbitrary Code Execution

Node-RED function nodes execute JavaScript on the server. Custom nodes can run system commands and access the filesystem.

API Credential Exposure

Flows contain API keys, OAuth tokens, database credentials, and MQTT broker credentials in node configurations.

IoT Device Control

Node-RED flows may control industrial equipment, building systems, or IoT devices — unauthorized changes can have physical consequences.

Basic Authentication

Node-RED's default authentication is a static username/password. Enterprise SSO requires custom authentication modules.

Flow Tampering

Unauthorized users could modify automation flows to disrupt processes or exfiltrate data.

No Session Auditing

Node-RED does not provide session recording or detailed audit logging of editor activity.

The OnePAM Solution

How OnePAM Adds SSO + Zero-Day Protection to Node-RED

A step-by-step guide to deploying OnePAM's authenticated proxy in front of Node-RED.

1

Deploy OnePAM as Node-RED Proxy

Place OnePAM in front of the Node-RED editor and dashboard.

Node-RED is configured to accept connections only from OnePAM. Direct access is blocked.
2

Configure Your Identity Provider

Connect OnePAM to your SAML/OIDC provider.

Automation engineers authenticate via corporate SSO with MFA before accessing the flow editor.
3

Enable Proxy Authentication

Node-RED trusts the authenticated identity from OnePAM's headers.

Individual users are identified for accountability. No shared passwords.
4

Separate Editor and Dashboard Access

Different access levels for flow editor vs. read-only dashboard.

Engineers can edit flows; operators can view dashboards; external users get specific HTTP endpoints.
5

Audit Flow Changes

Every editor session and flow deployment is logged with corporate identity.

Track who modified which flows, when deployments happened, and what changed.
Business Impact

Benefits of Securing Node-RED with OnePAM

Measurable security and operational outcomes from deploying OnePAM in front of Node-RED.

Protect Automation Flows

Only authorized engineers can access the flow editor and modify automation logic.

Zero unauthorized flow access

Enterprise SSO for Node-RED

Replace static passwords with corporate SSO. Individual accountability for every flow change.

Corporate SSO for automation

Secure API Credentials

API keys and tokens in flow configurations are protected behind enterprise authentication.

Credentials protected

IoT Safety

Prevent unauthorized modifications to flows controlling IoT devices and physical systems.

Physical system protection

MFA for Automation

Require MFA before accessing the flow editor or deploying changes.

MFA-protected flows

Deployment Audit Trail

Every flow deployment tracked with who, when, and what changed.

Complete deployment history
SSO Features

Node-RED SSO Capabilities

Every feature needed to provide enterprise-grade SSO and access control for Node-RED.

SAML 2.0 & OIDC SSO for Node-RED editor and dashboard
Separate access policies for editor vs dashboard
Flow deployment access control by IdP group
Session recording for compliance
IP and geo-restriction
Device trust verification
HTTP endpoint access policies
API credential access auditing
Multi-instance Node-RED SSO
Dashboard read-only access for operators
Security

Zero-Day Protection Features

Enterprise-grade security controls that shield Node-RED from exploitation.

Node-RED isolated from direct network access
End-to-end TLS encryption
Request-level authentication
WebSocket authentication for editor sessions
Header injection prevention
Automatic session invalidation on IdP sign-out
Real-World Scenarios

Node-RED SSO + Security Use Cases

Common scenarios where organizations deploy OnePAM in front of Node-RED.

1
Automation engineers accessing Node-RED with corporate SSO and MFA
2
Restricting flow editor access while allowing dashboard viewing for operators
3
Securing IoT automation platforms in manufacturing environments
4
Auditing flow changes for change management compliance
5
Protecting API credentials stored in Node-RED flows
6
Providing time-limited Node-RED access for contractors
Frequently Asked Questions

Node-RED SSO + Security FAQ

Common questions about deploying OnePAM's authenticated proxy for Node-RED.

Does OnePAM work with Node-RED's dashboard?

Yes. OnePAM can provide different access levels: editor access for engineers and read-only dashboard access for operators.

Can we protect Node-RED HTTP endpoints separately?

Yes. OnePAM policies can apply different authentication requirements to Node-RED's editor, dashboard, and HTTP-in endpoints.

Does OnePAM affect Node-RED's MQTT connections?

No. OnePAM protects the web interface. MQTT, TCP, and other protocol connections from Node-RED to external services are unaffected.

Does OnePAM support Node-RED in Docker?

Yes. OnePAM can proxy to Node-RED running in Docker, Kubernetes, or any other deployment method.

Can different teams have different Node-RED instances?

Yes. OnePAM can route authenticated users to different Node-RED instances based on IdP group membership.
Also Supported

SSO + Zero-Day Protection for Other Applications

OnePAM adds authenticated proxy protection to all these applications — same approach, zero code changes.

Jenkins
CI/CD Automation · X-Forwarded-User
Grafana
Observability & Monitoring · X-WEBAUTH-USER
Kibana
Log Analytics & SIEM · X-Proxy-User / es-security-runas-user
GitLab Self-Managed
DevOps Platform · X-Forwarded-User / REMOTE_USER
SonarQube
Code Security & Quality · X-Forwarded-Login
Apache Guacamole
Clientless Remote Desktop · N/A (native protocol)
Jira Data Center
Project Management · X-Forwarded-User
Confluence Data Center
Knowledge Management · X-Forwarded-User
pgAdmin
Database Management · X-Forwarded-User / REMOTE_USER
Rundeck
Operations Automation · X-Forwarded-User / REMOTE_USER
Harbor
Container Registry · X-Forwarded-User / X-Forwarded-Groups
Zabbix
Infrastructure Monitoring · X-Forwarded-User / PHP_AUTH_USER
Nexus Repository
Artifact Management · X-Forwarded-User / REMOTE_USER
Wiki.js
Modern Wiki Platform · X-Forwarded-User / Authorization
Prometheus
Metrics & Monitoring · X-Forwarded-User (proxy-level auth)
MinIO
Object Storage · X-Forwarded-User / Authorization
Portainer
Container Management · X-Forwarded-User
Apache Airflow
Workflow Orchestration · REMOTE_USER
Apache Superset
Business Intelligence · REMOTE_USER
Gitea
Git Hosting · X-WEBAUTH-USER
Mattermost
Team Messaging · X-Forwarded-User / X-Forwarded-Email
Redmine
Project Management · REMOTE_USER
NetBox
Network DCIM / IPAM · REMOTE_USER / HTTP_REMOTE_USER
AWX / Ansible Automation Platform
IT Automation · REMOTE_USER / X-Forwarded-User
phpMyAdmin
Database Administration · REMOTE_USER / PHP_AUTH_USER
Argo CD
GitOps & Continuous Delivery · X-Forwarded-User / Argocd-User-Info
n8n
Workflow Automation · X-Forwarded-User / X-n8n-User
HashiCorp Consul
Service Mesh & Discovery · X-Forwarded-User (proxy-level auth)
HashiCorp Vault UI
Secrets Management · X-Forwarded-User (defense-in-depth)
Rancher
Kubernetes Management · X-Forwarded-User / Authorization
Backstage
Developer Portal · X-Forwarded-User / Authorization
Outline
Team Knowledge Base · X-Forwarded-User / Authorization
Uptime Kuma
Uptime Monitoring · X-Forwarded-User (proxy-level auth)
WeKan
Project Management · X-Forwarded-User / HTTP-REMOTEUSER
Traefik Dashboard
Reverse Proxy & Ingress · X-Forwarded-User (via ForwardAuth)
Drone CI
CI/CD Automation · X-Forwarded-User
Metabase
Business Intelligence · X-Forwarded-User
JupyterHub
Data Science & ML · REMOTE_USER / X-Forwarded-User
code-server (VS Code)
Cloud IDE · X-Forwarded-User
BookStack
Documentation & Wiki · REMOTE_USER
Keycloak Admin Console
Identity & Access Management · X-Forwarded-User
Proxmox VE
Virtualization & Hypervisor · X-Forwarded-User
Semaphore UI
Automation & Configuration · X-Forwarded-User
Authentik
Identity & Access Management · X-Forwarded-User
Woodpecker CI
CI/CD Automation · X-Forwarded-User
NocoDB
No-Code Database · X-Forwarded-User
Homer Dashboard
Service Dashboard · X-Forwarded-User
OpenProject
Project Management · X-Forwarded-User / REMOTE_USER

Ready to Secure Node-RED with SSO + Zero-Day Protection?

Deploy OnePAM in minutes — no Node-RED code changes required. Start your free 14-day trial today.

Start Free Trial View All Supported Apps