epson2paperless is a LAN service. It listens for multicast discovery on 239.255.255.253:2968, accepts a push-scan trigger on TCP 2968, and opens a TLS session to the printer on TCP 1865. It is intended to run on a network segment you trust — your home LAN, a scanner VLAN, or similar.

Within that trust boundary, be aware of two deliberate design choices:

• The printer does not authenticate the host. Epson's "Scan to Computer" protocol has no host-side credential. Any machine on the same broadcast domain can register as a scan destination. This matches the stock Epson driver's behaviour.
• TLS to the printer is unverified (rejectUnauthorized: false). The ET-4950 ships a per-device factory-generated self-signed certificate — there is no CA chain to validate against, and no published fingerprint. Standard TLS validation would refuse every printer on the market. Our TLS connection gets confidentiality and integrity against a passive attacker, but not authentication of the peer: a LAN attacker who can impersonate PRINTER_IP during an active scan could feed arbitrary JPEG/PDF bytes into OUTPUT_DIR. Operators on networks they don't fully trust can opt in to fingerprint pinning by setting PRINTER_CERT_FINGERPRINT — the check fires at TLS handshake completion, before any protocol bytes are sent (see README's "Verifying the printer's TLS certificate").
• The /health endpoint binds to all interfaces and is LAN-reachable. It exposes a coarse lastScan timestamp. This is information-equivalent to the multicast keepalive traffic any LAN observer can already see on 239.255.255.253:2968, so binding to localhost would be cosmetic rather than substantive. Open by design so external monitoring tools (Uptime Kuma, healthchecks.io, etc.) can probe the service without per-deployment opt-in.

• Run the service on a network you trust. A dedicated scanner VLAN is ideal; a home LAN is usually fine. Don't expose the host to untrusted L2 (public Wi-Fi, shared hosting networks).
• Treat OUTPUT_DIR as untrusted input downstream. If you're pairing with Paperless-ngx, its consume directory already treats incoming files as untrusted — that's the right posture regardless of how they got there.
• Keep the printer firmware up to date. We have no visibility into the printer's own attack surface; that's Epson's problem, not ours, but you can help it along.

If you believe you've found a security issue in this code, please do not open a public issue. Instead:

• Open a GitHub security advisory (preferred — private by default), or
• Email the author at matt.theuma@gmail.com with epson2paperless security in the subject.

This is a personal project (see CONTRIBUTING.md), so response times are best-effort. I'll acknowledge within a reasonable window and credit reporters who'd like to be named once a fix is public.