Securing Wormhole

Wormhole provides an encrypted connection between the Dataplicity servers and the Dataplicity agent on your device. It does not, however, negate the need to ensure your device and your application both follow basic security precautions.


The importance of good code and staying up to date

Bots, spam and hackers all cruise the internet looking for vulnerable webservices, so it's important to protect your device. Since the web service hosted on your Pi is now publicly accessible, you need to remember to write secure code, and where you are running an off the shelf web application ensure you stay up to date.


Passwords

You may choose to require some authentication for your application:

  1. You could use NGINX basic-auth to put a simple password on your device; or
  2. You could use a more sophisticated form-based method built into your application.

Get more information about enabling basic auth via NGINX.


Firewall

In most cases, when NGINX or Apache is first installed it will listen and serve a website on all available interfaces ("0.0.0.0"). If your Pi is installed on a secured or restricted network that's probably fine, but if your Pi happens to be on a public network you may want to limit that access.

Wormhole forwards any webservice that is listening on the loopback interface (127.0.0.1) port 80 on your device. What this means is that to have a working web service on your Pi using wormhole, the wider world does not require direct access to port 80 on your Pi.

The simplest way to protect yourself is to enable a firewall:

sudo apt install -y ufw
sudo ufw enable