I had a similar problem a couple of months ago, in which I needed to add security to everything (NodeRed and web interface).
For NodeRed add password through the link shared above.
As for the Web Interface, what I did was remove everything and leave only the version and the option to restart the device, with this only someone with “experience” can enter and navigate through the functions.
That is an interesting solution that could work for us as well. I haven’t put an LTE sim in yet but is this page accessible on the LTE ip address? I’m looking for the web ui files location but I don’t know where to start to get this thing secured. Can you point me in the right direction to editing the web ui page?
I’m also finding it impossible to password protect node red. Seems that bcrypt isn’t installed on this device and I’m not finding any way to install it. So each time I try to login the login fails. The device also cannot create bcrypt hashes?