Yes. And a web server has an attack surface, no?
I think it’s reasonable to understand that nginx/caddy serving static files (or better yet a public s3 bucket doing so) is way, way less of a risk than a dynamic application.
Of course, that’s true for those web servers. If kept up to date. If not, the attack surface is actually huge because exploits are well known.
I think it’s reasonable to understand that nginx/caddy serving static files (or better yet a public s3 bucket doing so) is way, way less of a risk than a dynamic application.
Of course, that’s true for those web servers. If kept up to date. If not, the attack surface is actually huge because exploits are well known.