Appearance
Securing Wormhole-enabled web servers
Wormhole encrypts traffic between Dataplicity and the agent on your device. It does not replace application-level security - you must still protect the web service itself.
Write secure code and stay up to date
Bots and scanners probe public web services continuously. When Wormhole is enabled, your service is reachable from the internet. Keep off-the-shelf applications patched and follow secure coding practices for custom services.
Require authentication
Options:
- NGINX basic auth - simple username/password in front of the service
- Application login - form-based auth built into your app
Use current guidance for the reverse proxy or application version deployed on your device. Require strong credentials, rate limiting, and secure session handling.
Use a firewall
Bind the application only to the interface required by the configured Wormhole service. Do not open its local port to the wider network unless the product itself requires that access.
Use the operating system's supported firewall tooling as defence in depth. Review existing rules before enabling or replacing a firewall because a generic command can interrupt device networking or other managed services.
Production recommendations
- Do not expose admin interfaces via Wormhole without authentication
- Disable Wormhole when not needed
- Review Security model for fleet-wide guidance
- Use remote shell for interactive command-line access; use Wormhole only for web services that need a URL