Wormhole provides an encrypted connection between the Dataplicity servers and the Dataplicity agent on your device. It does not, however, negate the need to ensure your device and your application both follow basic security precautions.
Bots, spam and hackers all cruise the internet looking for vulnerable webservices, so it's important to protect your device. Since the web service hosted on your Pi is now publicly accessible, you need to remember to write secure code, and where you are running an off the shelf web application ensure you stay up to date.
You may choose to require some authentication for your application:
- You could use NGINX basic-auth to put a simple password on your device; or
- You could use a more sophisticated form-based method built into your application.
In most cases, when NGINX or Apache is first installed it will listen and serve a website on all available interfaces ("0.0.0.0"). If your Pi is installed on a secured or restricted network that's probably fine, but if your Pi happens to be on a public network you may want to limit that access.
Wormhole forwards any webservice that is listening on the loopback interface (127.0.0.1) port 80 on your device. What this means is that to have a working web service on your Pi using wormhole, the wider world does not require direct access to port 80 on your Pi.
The simplest way to protect yourself is to enable a firewall:
sudo apt install -y ufw sudo ufw enable
Updated 11 months ago