Draw.io¶
Self-hosted diagram editor at
draw.448.global. Where architecture diagrams, flowcharts, and the like get drawn.
| Field | Value |
|---|---|
| Public URL | https://draw.448.global |
| Audience | engineering, ops, anyone making diagrams |
| Criticality | low |
| Maturity | [INFO NEEDED] |
| Owner | [INFO NEEDED] |
| Last reviewed | 2026-05-05 |
1. At a glance¶
Draw.io (also branded "diagrams.net") is a web-based diagramming tool — comparable to Lucidchart or Visio. We host it ourselves so diagrams aren't dependent on a third party. Diagrams are typically saved to local storage, browser, or wherever we configure (often a shared MinIO bucket).
2. Business purpose¶
- Architecture diagrams without a SaaS subscription.
- Diagrams stay inside the company.
3. Audience¶
Internal staff.
4. Hosting & cloud infrastructure¶
Infrastructure map¶
| Item | Value | Notes |
|---|---|---|
| Public hostname | draw.448.global | |
| Public IP(s) | [INFO NEEDED] |
|
| Open ports | 443 [CONFIRM] |
|
| TLS cert | [INFO NEEDED] |
|
| Reverse proxy | [INFO NEEDED] |
|
| Container image / version | jgraph/drawio:[INFO NEEDED] |
|
| Host server name | [INFO NEEDED] |
|
| Storage backend | [INFO NEEDED] (browser local / MinIO / WebDAV) |
Credentials in Vault¶
| Secret type | Vault path / link | Last rotated |
|---|---|---|
| MinIO credentials (if backend) | [INFO NEEDED] |
|
| Any auth-proxy creds | [INFO NEEDED] |
5. Technology behind it¶
- Type: off-the-shelf
- Product: Draw.io / diagrams.net (open-source)
- Stack: static-ish app (HTML+JS) served by Tomcat/Nginx; storage is delegated
6. Data it handles¶
- Diagram files (XML /
.drawiofiles). May include sensitive architecture detail — IPs, credentials in diagrams (which they shouldn't, but happens).
7. External dependencies¶
- Storage backend (MinIO / WebDAV / browser-local).
8. Authentication & access¶
- End-user login: Draw.io itself has no auth — the editor is open. Access control comes from the reverse proxy / Authentik in front.
- MFA? depends on auth-proxy configuration.
9. Maturity assessment¶
[INFO NEEDED]
10. Known risks & vulnerabilities¶
[CONFIRM]No built-in auth — anyone who can reach the URL can edit. Reverse-proxy auth or VPN-only access is required.[INFO NEEDED]Diagrams leak architecture detail — sensitive IPs, hostnames, credentials sometimes drawn into diagrams.[INFO NEEDED]Storage durability — if diagrams are saved to browser local-storage and not backed to MinIO, they're lost when the user clears cookies.
11. Impact if it goes down¶
None for operations; minor inconvenience for documentation.
12. Owner & on-call¶
[INFO NEEDED]
13. References & links¶
- Public URL: https://draw.448.global
- Vendor docs: https://www.drawio.com
- Domain: see domains.md