HTTP Integration Security

Safrone · January 8, 2019, 5:17pm

Hello,

What are your suggestions for securing endpoints that consume the HTTP integration POSTs?

I can do IP whitelisting but obviously that is not particularly strong defense.
Based on the guide here: https://simpleisbetterthancomplex.com/tutorial/2016/10/31/how-to-handle-github-webhooks-using-django.html github does some sort of secret hashing with the request body but as far as I can tell, this is not possible with static headers that the current integration supports.

Is there something I can do with the current version to ensure the messages are coming from the lora-app-server in my downstream application?

Regards,
-Eric

rini · February 7, 2019, 10:41am

Hi,

Did you find any solutions? Even I am looking at the option of how to secure this http integration, is there a wayI authenticate the endpoint using username and password.

Thanks in advance,

Anh_Quan_Tong · February 8, 2019, 8:58am

It will be more secret if you know how to design a good website

brocaar · February 8, 2019, 5:08pm

That is why you can add headers

rini · February 12, 2019, 10:03am

ahh yea sorry i didn’t realise. Thank you

nmenoni · July 7, 2021, 11:51am

Maybe this is a philosophical question but, adding static headers, is considered secure for an application integration? If we are using tokens for example, shouldn’t they be renewed from time to time (hours?)
Is that possible to implement in Chirpstack?

Thanks