Is there some kind of security setting that I can use to protect my HTTP agent connection as given by http.agenturl()?
Right now, anyone with the correct URL can access my device HTTP agent and command my device to do anything they want. Granted that the URL path is hard to guess (but is fixed for a particular device) and the command to my device is only known to me. But how many people would have a ‘status’ command for their device?
Yes, you can do all sorts of things - verify source addresses, verify secret tokens, challenge/response etc… there’s nothing implemented as standard though.
eg, to reject connections not made by https, you could do:
http.onrequest(function(request,res){ if (request.headers["x-forwarded-proto"] != "https") { res.send(401, "Insecure access forbidden"); return; } …other handler code here… }
@Hugo, Thanks for the suggestion. I’ll have to think of something.
Meanwhile, I would expect that access to a particular feed would require a user to sign in with the Electric Imp server. It should know the user associated with any given feed. Yes?
It does, yes, but that’s not really a scalable solution (commercial users may have many many thousands of devices and won’t want to be sharing credentials with their end users)