Those who know me from the Google group and Slack will know that I have a bit of a "thing" about security. It isn't easy to secure a web service at the best of times and trying to do so via your home network with minimal resources is even harder.
So why not avoid the issue altogether! By instead using a bot with a secure messaging service, you don't need to expose Node-RED or a web server, mess with certificates, authentication and authorisation. Nor worry about how to secure websockets.
The flow listed here demonstrates a simple Telegram bot that shows the current status of a set of wireless switches (in my case that control lights) and that let you turn them on and off via a simple text interaction.
If you want the full details, including pictures and some info on wiring up MQTT and the other dependencies, you can find them on the Totally Information development blog.