Gatsby: Is it secure to run Gatsby in a develop mode in internet?
Hi Gatsby Team!
Why do we need Gatsby develop mode in internet?
Our authors are non technical people who contribute content directly to CMS.
We are running Gatsby in develop mode on an Amazon EC2 instance to provide them better preview experience. When authors make some changes on the CMS side, we just trigger
The server is available in internet and restricted with Basic auth, that's it. As well we activated https for sure.
Questions
What do you think about making server running gatsby develop available in internet from security perspective?
Does Gatsby server in develop mode open some insecure sockets, does it give some potential for vulnerabilities?
Thanks!
teavirdis
All 3 comments
Hey @teavirdis
There aren't any security vulnerabilities _per se_ but gatsby develop does expose the /___graphql route that gives access to all your data (which you might or might not be with)
Also, I really wouldn't recommend running gatsby develop as a production server as one would miss out of all the benefits of building to static assets. As an internal preview server of sorts, I suppose it's fine.
sidharthachatterjee
on 5 Feb 2019
@teavirdis expanding on what @sidharthachatterjee said, and from a perspective of a contributor to the project, vulnerabilities per se there are none until someone finds one and reports it and then it's fixed either by a development team member or even for a contributor like myself.
I've applied the same approach you're using a while ago to demonstrate a proof of concept to a audience that was not in any way, shape or form technically savy, as part of the audience was in a different part of the country and one part in a different country and i got no issues whatsoever.
But it goes without saying, that while demoing it's fine in this form. But i would like to leave a couple of items regarding this issue:
- Be mindfull that this mode is a quasi finished product. The development mode way is more permissive, it let's you get away with many things that normally you wouldn't.
- Check the dependencies used in conjunction with gatsby. There are some that "play nice" and let you get a good experience, others not so much, or not at all.
- Be mindfull of the styling you're using. either as a plugin or as a way of styling. In development mode you can get it working all dandy, but in production mode you could get some issues.
- Finally should any issues pop, you know where to find us 馃槉馃槉
Hope i can see the finished product being added to the list of sites in a near future. I would like to thank you for using Gatsby.
jonniebigodes
on 5 Feb 2019
Thank you guys for answers! Such great support brings a lot of confidence in using your solution:)
teavirdis
on 8 Feb 2019
Related issues
Oppenheimer1
路
3Comments
theduke
路
3Comments
jimfilippou
路
3Comments
rossPatton
路
3Comments
dustinhorton
路
3Comments
Most helpful comment
@teavirdis expanding on what @sidharthachatterjee said, and from a perspective of a contributor to the project, vulnerabilities per se there are none until someone finds one and reports it and then it's fixed either by a development team member or even for a contributor like myself.
I've applied the same approach you're using a while ago to demonstrate a proof of concept to a audience that was not in any way, shape or form technically savy, as part of the audience was in a different part of the country and one part in a different country and i got no issues whatsoever.
But it goes without saying, that while demoing it's fine in this form. But i would like to leave a couple of items regarding this issue:
Hope i can see the finished product being added to the list of sites in a near future. I would like to thank you for using Gatsby.