Authentication
In order to cut down the number of round trips, the requests are sent directly from the scanner client. That means that it would be impossible to predict the IP of the incoming requests and thereby only whitelist certain IP addresses to prevent DDoS, exploits etc. Instead, each request includes an HMAC that the web service can use to verify the authenticity of the request.
Verifying a Scanner Request
To generate the HMAC and verify it in Node.js, you can do the following:
import crypto from 'crypto' const hmac = crypto.createHmac('sha512', secret).update(data.scanRequestId).digest('base64') if (hmac === data.hmac) { // All good! Request is authentic }
Security Best Practices
- Always verify the HMAC before processing any request
- Store your secret securely and never expose it in client-side code
- Consider implementing rate limiting on your endpoint
- Log all requests for audit purposes