Security Considerations

Please consult the topics below for various security considerations.

Endpoint Security

It’s important to prevent outside access to the internal API’s. By default these are available from 127.0.0.1:8081 and are not protected with API security. When exposing the external APIs to your internal network, take the appropriate measures to secure the API’s (SSH, API security, etc).

In addition to securing the internal APIs, it’s recommended to limit access to the public APIs using a reverse proxy. This will allow you to control access to the public APIs, do TLS termination and add additional security measures. Block any path that’s not used by the Nuts node.

D(D)oS Protection

Consider implementing (D)DoS protection on the application layer for all public endpoints. Monitor and log the following metrics:

  • Number of requests per second

  • Number of requests from a single IP address

  • Amount of non-20x responses

Any outliers should be investigated.

Maximum client body size for public-facing POST APIs

Various parts of the Nuts Node API allow for POST requests. To prevent abuse, you should limit the size of the request body. The following public APIs accept POST requests:

  • /discovery/{service}

  • /oauth2/{subjectID}/token

  • /oauth2/{subjectID}/request.jwt/{id}

  • /oauth2/{subjectID}/response

To prevent malicious uploads, you MUST limit the size of the requests. As a safeguard, the Nuts node will also limit the size of request bodies.

For example, Nginx has a configuration directive to limit the size of the request body:

client_max_body_size 1M;

The actual limit depends on your use case. It should be large enough for Verifiable Presentations to be uploaded, but small enough to prevent abuse.

Key rotation

It’s important to have a key rotation policy in place. The Nuts node uses keys for various signing operations. These operations are numerous and therefore keys should be rotated regularly.

Using did:web

The did:web method allows for easier integration with existing web infrastructure. However, it’s also less secure and vulnerable to domain takeover. When using did:web, you should consider the following:

  • Protect your domain from takeover. Make sure it’s locked for a year after cancelling the domain.

  • Monitor calls to **/did.json on the domain and make sure they are handled by the Nuts Node.

  • Using Hashicorp Vault or Microsoft Azure Key Vault to store the private keys is even more important when using did:web.

  • Use DNS over HTTPS and enable DNSSEC.