Hi Chris, I expect Nick/Dave will chip in at some point after holidays.
From my own perspective, I'd have to say that NR cannot be considered for high-security production use as it stands. That, of course, was never it's intention as far as I can tell as an outsider so that isn't particularly a criticism, simply an observation.
I would also say that, since NR is based around Node.JS, Node itself is in a similar place as indicated by the fact that it has remained in "beta" state for many years now.
I think that, to run in production with a reasonable expectation of security, you would probably need a number of technologies to support:
- Ensure that all web interactions (including websockets) are properly filtered and sanitised
- Run NR in embedded form using Node.JS security features (e.g. logins)
- Run behind a secure web frontend such as NGINX with Phusion Passenger (which you can also use to keep the whole thing running, restarting automatically on failure and running as a cluster if needed)
- Run the whole thing in a container (Docker?) to help isolate the code from the host OS
Then get a specialist to do at least a comprehensive penetration test on the whole configuration.
Just a few thoughts anyway, my use of NR and Node.JS are mainly personal rather than professional so I can't claim to be an expert in their security. Hope they are helpful.