Remotion is a software that can generate videos programmatically. It does so by running a headless browser, capturing images, and encoding them into a video. This in itself does not pose a security risk. However, Remotion interacts with the Web, can be used in the cloud and uses the NPM ecosystem.
When starting the Remotion Studio or running a render via the command line, environment variables that are prefixed with
.env are passed to the headless browser. You are responsible to ensure those environment variables do not exposed to other services as you are interfacing with the Web.
Credentials on the web
You should not try to call
renderMediaOnLambda() or other APIs from
@remotion/lambda from your app frontend. Those APIs can only be called with AWS credentials, meaning that you would have to expose your AWS credentials to the web. This is a security risk and should be avoided.
We provide as a workaround for CORS issues the
disableWebSecurity flag. This flag disables the same-origin policy in the headless browser. If you are using it, you need to be aware of the implications of it and assess whether this can pose a security risk to you.
APIs such as
renderMediaOnLambda() may be expensive (computationally or financially) to run. You should ensure that you are not exposing those APIs to the web without authentication or rate limiting. Otherwise, you may be vulnerable to DDoS attacks.
General Node.JS security best practices
Often you will use Remotion alongside other Node.js dependencies.
You should only install dependencies you trust, since they can run arbitrary code in their
Dependencies, including Remotion, may have known vulnerabilities which you can list with the
npm audit command.