diagrams.net (draw.io) is often used for architecture and network diagrams that can contain sensitive infrastructure details. Hardening should prioritize offline mode, TLS, and plugin controls.
¶ 1) Run self-hosted in offline and private mode
- use self-hosted deployment endpoints with offline mode for browser access when possible (
?offline=1)
- keep the application behind an internal reverse proxy or VPN for sensitive environments
- disable unnecessary cloud storage integrations if data must remain internal
¶ 2) Enforce TLS and certificate hygiene
- use HTTPS only and valid certificates (Let’s Encrypt or managed certificates)
- replace default keystore passwords and manage TLS key material outside container images
- expose only required ports and block direct container access from untrusted networks
¶ 3) Control plugins and editor extensibility
- allow only approved plugins/extensions in enterprise deployments
- periodically review loaded plugin list and remove unused plugins
- restrict who can change frontend/editor configuration in production
- diagrams.net website: https://www.diagrams.net
- diagrams.net Docker image docs: https://github.com/jgraph/docker-drawio
- draw.io plugin management (official): https://www.drawio.com/doc/faq/delete-plugin
Any questions?
Feel free to contact us. Find all contact information on our contact page.