Skip to main content

Security Best Practices

Remotion is a software that can generate videos programmatically. It does so by running a headless browser, capturing images, and encoding them into a video. This in itself does not pose a security risk. However, Remotion interacts with the Web, can be used in the cloud and uses the NPM ecosystem.

Environment variables

When starting the Remotion Studio or running a render via the command line, environment variables that are prefixed with REMOTION_ and .env are passed to the headless browser. You are responsible to ensure those environment variables do not exposed to other services as you are interfacing with the Web.

Credentials on the web

You should not try to call renderMediaOnLambda() or other APIs from @remotion/lambda from your app frontend. Those APIs can only be called with AWS credentials, meaning that you would have to expose your AWS credentials to the web. This is a security risk and should be avoided.

disableWebSecurity flag

We provide as a workaround for CORS issues the disableWebSecurity flag. This flag disables the same-origin policy in the headless browser. If you are using it, you need to be aware of the implications of it and assess whether this can pose a security risk to you.

DDoS attacks

APIs such as renderMedia() and renderMediaOnLambda() may be expensive (computationally or financially) to run. You should ensure that you are not exposing those APIs to the web without authentication or rate limiting. Otherwise, you may be vulnerable to DDoS attacks.

General Node.JS security best practices

Often you will use Remotion alongside other Node.js dependencies.
You should only install dependencies you trust, since they can run arbitrary code in their postinstall scripts. Dependencies, including Remotion, may have known vulnerabilities which you can list with the npm audit command.

Reporting of security vulnerabilities

If you believe to have found a security vulnerability, you can report it to hi@remotion.dev