My node-RED https server is exposed to the internet, but I've taken a number of precautions to keep it safe. However, I'd like to serve an image file via httpstatic, without password protecting the node-defined HTTP endpoints (httpNodeRoot).
I don't care if anyone accesses the image file (it's only a logo), but wondered if it would expose a way into Node-RED, and leave my system vulnerable?
Nothing is perfect so there is always risk. As far as I know, there is no public security review of Node-RED so no certified way of assessing the risks without doing an independent review (which I know some companies have done).
My personal take would be this: If the data/processes you are protecting are relatively low value then Node-RED alone should be fine.
If they are of higher value, I would always recommend defence in depth and would use additional tools to provide separate layers of security using tools that have been very widely battle-tested.
But even the best of tools is vulnerable to mis-configuration. So ultimately, regular security testing including penetration tests are the ultimate method to assure security.
Since only you probably know the value of what you are doing, I'm afraid that only you can assess whether more is needed unless you want to pay for someone certified to do a professional review.
I would just bear in mind that Node-RED is a general-purpose tool and not one that specialises in security. Not that that makes it insecure but that there will be more opportunities to misconfigure than something more specialist.
Thanks Julian, I understand the general risks to hosting valuable data/processing in Node-RED, but does serving an image file using httpstatic, without password protecting the http endpoints, create in itself a specific risk to Node-RED or the OS in general?
The image file itself has no value whatsoever.
No, it doesn't add any material difference as long as nobody else can upload or change the image. If they did find a way then the answer would be yes.
Of course you could serve the file from somewhere else like github pages.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
Copyright OpenJS Foundation and Node-RED contributors. All rights reserved. The OpenJS Foundation has registered trademarks and uses trademarks. For a list of trademarks of the OpenJS Foundation, please see our Trademark Policy and Trademark List. Trademarks and logos not indicated on the list of OpenJS Foundation trademarks are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
The OpenJS Foundation | Terms of Use | Privacy Policy | OpenJS Foundation Bylaws | Trademark Policy | Trademark List | Cookie Policy