Use httpstatic to serve a image file

My node-RED https server is exposed to the internet, but I've taken a number of precautions to keep it safe. However, I'd like to serve an image file via httpstatic, without password protecting the node-defined HTTP endpoints (httpNodeRoot).

I don't care if anyone accesses the image file (it's only a logo), but wondered if it would expose a way into Node-RED, and leave my system vulnerable?

Nothing is perfect so there is always risk. As far as I know, there is no public security review of Node-RED so no certified way of assessing the risks without doing an independent review (which I know some companies have done).

My personal take would be this: If the data/processes you are protecting are relatively low value then Node-RED alone should be fine.

If they are of higher value, I would always recommend defence in depth and would use additional tools to provide separate layers of security using tools that have been very widely battle-tested.

But even the best of tools is vulnerable to mis-configuration. So ultimately, regular security testing including penetration tests are the ultimate method to assure security.

Since only you probably know the value of what you are doing, I'm afraid that only you can assess whether more is needed unless you want to pay for someone certified to do a professional review.

I would just bear in mind that Node-RED is a general-purpose tool and not one that specialises in security. Not that that makes it insecure but that there will be more opportunities to misconfigure than something more specialist.

1 Like

Thanks Julian, I understand the general risks to hosting valuable data/processing in Node-RED, but does serving an image file using httpstatic, without password protecting the http endpoints, create in itself a specific risk to Node-RED or the OS in general?

The image file itself has no value whatsoever.

No, it doesn't add any material difference as long as nobody else can upload or change the image. If they did find a way then the answer would be yes.

1 Like

Of course you could serve the file from somewhere else like github pages.

1 Like