In production, you should use TLS.
DSPS server itself does not support TLS, so that you need to use HTTPS capable loadbalancers or reverse proxy such as Nginx.
You can protect endpoints with JWT, see channels.jwt configuration block.
Also you can revoke JWT with administration API.
By default, server accepts admin API call from private IP addresses with randomly generated API key.
To configure it, see admin configuration block.
Also if you run this server behind LoadBalancer, be sure to set http.realIpHeader and http.trustedProxyRanges configuration item if your LoadBalancer changes source IP of the packets.
Otherwise server could not check client's IP address due to LoadBalancer.
Currently DSPS server only supports pre-configured outgoing webhook. So that you can control webhook destination by configuration.
To ensure webhook security, general outgoing HTTP security practices such as followings should be applied:
- Use HTTPS (TLS)
- Send webhook to only safe destinations
- Do not send webhook to dynamic domain, domain name should be fixed
DSPS server send some response headers by default but you can override them to more security.
For instance, you can enable Strict-Transport-Security by setting the header for each response.
Use http.defaultHeaders configuration item to set your custom headers for all responses.