Securing Webhooks

Overview

If you are not using the Datacake TTN option to connect your device to the Datacake Cloud, you should secure the device by requiring an access token in the webhook.

If you do not enable the authentication, in theory, someone else could craft a spoofed payload and transmit it to the Datacake webhook endpoints including the DevEUI of your device, which would result in this data to be stored on your device.

To prevent this, enable the "Webhook requires authentication" option either when creating the device or later in its configuration.

Is this required?

We call the authentication of the Webhook optional, because it is not necessarily required. However, once it is set up correctly, it is nothing more than a mouse click and we recommend using it especially for larger fleets.

Please note that this option or not enabling this option does not mean that a Webhook would be an insecure way to communicate. Basically, the Webhook establishes encrypted communication with the Datacake API. It could just happen that someone forwards wrong data over a compromised DevEUI. However, the probability of this happening is very low. A potential attacker would need the following:

  1. Description of the individual payload structure

  2. The exact DevEUI of your device

The latter (the DevEUI) is difficult to predict in its nature. You would have to steal it exactly from the sensor.

Securing a new LoRaWAN Device

When you create a new LoRaWAN Device using one of our provided templates you have the option to set the Securing of the Webhook during the Steps in the Configuration-Wizard.

You can always deactivate this option or skip this step during setup and activate it later using the Configuration Dialog of your Device. See "Securing an existing LoRaWAN Device" on this page.

Securing an existing LoRaWAN Device

When you already have devices that you want to secure using the optional Webhook Authentication method you can do this by going through the following steps and activate the authentication.

When the option is enabled, all requests to the Webhook need to have the Authorization-Header set to Token YOURTOKENHERE. To learn how to generate access tokens, please go to:

Configure Networks

To enable securing of Webhooks you need to provide an additional authorization header in your LoRaWAN Application. We are now providing some examples for those LoRaWAN Networks that Datacake has Integrations for.

TTN / TheThingsNetwork

In the following Screenshot you see how setting the Authentication Token looks like on the TTN LoRaWAN Network Server. In your Integration - where you set up the Webhook forwarder - you need to provide an extra Authentication-Header. This looks something like the following (Please not that the Token used in the Screenshot is just a fake one - you need to replace it by your real one).